Method and apparatus for factoring large integers

ABSTRACT

This patent describes a method, apparatus and computer program which factor a large integer N 0  in a time of the order of p 2 ·log p   4  N 0 , where p denotes a prime.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation-in-part of U.S. patent application Ser. No. 15/099,306 filed Apr. 14, 2016 and claims priority from U.S. provisional applications Ser. No. 62/257,045 filed Nov. 18, 2015; 62/204,278 filed Aug. 12, 2015 and 62/154,230 filed Apr. 29, 2015, all of which are incorporated by reference herein.

I. FIELD OF THE INVENTION

The present invention is related to solving an equation in two or more unknown integer variables, where each variable is represented by a multiplicity of multiples of powers of an odd prime p. Specifically, the present invention is related to factoring an integer N₀ restating the problem into the factorization of an appropriate integer N which is a quadratic residue modulo p, then factoring N in a time of order of p²·log_(p) ⁴N.

II. BACKGROUND

The problem of resolving a large integer into the product of its prime factors has stimulated the intellectual curiosity and the imagination of many generations of mathematicians.

In 1801 Gauss wrote: “. . . the dignity of the science itself seems to require that every possible means be explored for the solution of a problem so elegant and so celebrated.” [1,397]

The problem has attracted renewed interest, ever since R. L. Rivest, A. Shamir and L. Adleman proposed an encryption method which is based on the computational difficulty of the factorization problem [2].

This note introduces a method and apparatus which allows the factorization of a large odd integer N in logarithmic time.

III. SUMMARY

The present invention pertains to a method for decoding an encrypted electromagnetic signal W encoded by a first computer with public key N₀=r×s, where N₀, r and s are integers and W is a function of r and s. The method comprises the steps of storing the signal W in a non-transient memory. There is the step of decoding with a second computer in communication with the memory the signal W in the memory with the second computer generated steps of selecting a prime number p of the form p=4k+1 for an odd integer k such that the public key N₀ is a non-quadratic residue modulo p calculating n₀ satisfying the inequalities p^(n) ⁰ ⁻¹<N₀<p^(n) ⁰ ; computing N=τN₀ with a selection of τ such that N is a quadratic residue modulo p^(n) ⁰ ; calculating n satisfying the inequalities p^(n−1)<N<p^(n) and calculating a solution to N≡A ²(mod p ^(n))  (1) by using the representation

$\begin{matrix} {A = {\sum\limits_{i = 0}^{n}{\omega_{i}p^{i}}}} & (2) \end{matrix}$ where ω_(i) satisfies the condition 0<ω_(i) <p ^(n−1).  (3)

There is the step of decrypting with the second computer the signal W with the public key N₀ and the prime factors of integer N₀. There is the step of displaying on a display by the second computer the decrypted signal W. There is the step of reviewing the decrypted signal W and its relevance.

The present invention pertains to a second computer for decoding an encrypted electromagnetic signal W encoded by a first computer with public key N₀=r×s, where N₀, r and s are integers and W is a function of r and s, comprising:

-   -   a non-transient memory in which the signal W is stored;

decoding with a CPU in communication with the memory the signal W in the memory that decodes the signal W by the second computer generated steps of selecting a prime number p of the form p=4k+1 for an odd integer k such that the public key N₀ is a non-quadratic residue modulo p calculating; n₀ satisfying the inequalities p^(n) ⁰ ⁻¹<N₀<p^(n) ⁰ ; computing N=τN₀ with a selection of τ such that N is a quadratic residue modulo p^(n) ⁰ ; calculating n satisfying the inequalities p^(n−1)<N<p^(n) and calculating a solution to N≡A ²(mod p ^(n))   (4) by using the representation

$\begin{matrix} {A = {\sum\limits_{i = 0}^{n}{\omega_{i}p^{i}}}} & (5) \end{matrix}$ where ω_(i) satisfies the condition 0<ω_(i) <p ^(n−1).  (6) the CPU decrypting the signal W with the public key N₀ and the prime factors of integer N₀; and

a display on which the decrypted signal W is displayed so the decrypted signal W can be reviewed to determine the relevance of the decrypted signal W. The display can be a computer screen or smart phone screen or any screen or piece of paper on which the decrypted signal W is printed or any medium on which the decrypted signal W can be reviewed.

The present invention pertains to a non-transitory readable storage medium which includes a computer program stored on the storage medium for decoding an encrypted electromagnetic signal W encoded by a first computer with public key N₀=r×s, where N₀, r and s are integers and W is a function of r and s, where the signal W has been stored in a non-transient memory of a second computer, having the second computer generated steps of:

selecting a prime number p of the form p=4k+1 for an odd integer k such that the public key N₀ is a non-quadratic residue modulo p; calculating N₀ satisfying the inequalities p^(n) ⁰ ⁻¹<N₀<p^(n) ⁰ ; computing N=τN₀ with a selection of τ such that N is a quadratic residue modulo p^(n) ⁰ ; calculating n satisfying the inequalities p^(n−1)<N<p^(n); and calculating a solution to N≡A ²(mod p ^(n))   (7) by using the representation

$\begin{matrix} {A = {\sum\limits_{i = 0}^{n}{\omega_{i}p^{i}}}} & (8) \end{matrix}$ where ω_(i) satisfies the condition

There is the step of decrypting with the second computer the signal W with the public key N₀, and the prime factors of integer N₀. There is the step of displaying on a display by the second computer the decrypted signal W for predetermined words to determine the relevance of the decrypted signal W.

IV. BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 is a graphical representation of the integer Ã²−N.

FIG. 2 is a graphical representation of the integer Ã²·(Y−Ã).

FIG. 3 is a graphical representation of the integer (Y−Ã)².

FIG. 4 is a graphical representation of the integer X².

FIG. 5 is a block diagram regarding the claimed invention.

V. DESCRIPTION OF THE INVENTION: THE PROBLEM

Given a positive odd integer N₀, it is desired to determine a pair of integers r₀ and s₀ such that N ₀ =r ₀ ·s ₀.  (10)

The problem can also be stated as the search for two integers Y₀ and X₀ such that N ₀ =Y ₀ ² −X ₀ ².  (11)

The pairs (r₀, s₀) and (Y₀, X₀) are related as follows:

$\begin{matrix} \left\{ {\begin{matrix} {Y_{0} = \frac{r_{0} + s_{0}}{2}} \\ {X_{0} = \frac{r_{0} - s_{0}}{2}} \end{matrix}.} \right. & (12) \end{matrix}$

Conversely,

$\begin{matrix} \left\{ {\begin{matrix} {r_{0} = {Y_{0} + X_{0}}} \\ {s_{0} = {Y_{0} - X_{0}}} \end{matrix}.} \right. & (13) \end{matrix}$

If r₀>s₀>0, both Y₀ and X₀ are positive. In this case it is useful to consider some limit cases in order to develop an appreciation for the magnitude of the variables.

One of the limit cases occurs when the pair (r₀, s₀) is a pair of “twin primes”, such as (43, 41). In these cases,

$\begin{matrix} \left\{ {\begin{matrix} {X_{0} = 1} \\ {Y_{0} = \sqrt{N_{0} + 1}} \end{matrix}.} \right. & (14) \end{matrix}$

At the other end is the case when r₀ approximates N₀. At the limit, consider a pair (r₀, s₀) equaling (N₀, 1). Then

$\begin{matrix} \left\{ {\begin{matrix} {X_{0} = \frac{N_{0} - 1}{2}} \\ {Y_{0} = \frac{N_{0} + 1}{2}} \end{matrix}.} \right. & (15) \end{matrix}$ Therefore, in all cases

$\begin{matrix} \left\{ {\begin{matrix} {X_{0}^{2} < Y_{0}^{2}} \\ {1 \leq X_{0}^{2} < \left( \frac{N_{0} - 1}{2} \right)^{2}} \\ {{N_{0} + 1} \leq Y_{0}^{2} < \left( \frac{N_{0} + 1}{2} \right)^{2}} \end{matrix}.} \right. & (16) \end{matrix}$ Thus, in all cases, Y₀ ²>N₀. In some cases, X₀ ² is greater than N₀.

VI. A RESTATEMENT

Given N₀ and an odd prime p, the general solution of (10) has the following form:

$\begin{matrix} \left\{ {\begin{matrix} {r_{0} = {\alpha + {\lambda_{0} \cdot p}}} \\ {s_{0} = {\beta + {\mu_{0} \cdot p}}} \end{matrix},} \right. & (17) \end{matrix}$ where α, β, λ₀ and μ₀ denote integers and where α·β≡N₀ (mod p). If α and β are both even or both odd, A0 and p0 have the same parity. Otherwise, define β′=β+p and μ′₀=μ₀−1. Thus, without loss of generality, it is possible to define two integers U₀ and V₀ as follows:

$\begin{matrix} \left\{ {\begin{matrix} {U_{0} = \frac{\lambda_{0} - \mu_{0}}{2}} \\ {V_{0} = \frac{\lambda_{0} + \mu_{0}}{2}} \end{matrix}.} \right. & (18) \end{matrix}$ Then

$\begin{matrix} \left\{ {\begin{matrix} {r_{0} = {\alpha + {U_{0} \cdot p} + {V_{0} \cdot p}}} \\ {s_{0} = {\beta - {U_{0} \cdot p} + {V_{0} \cdot p}}} \end{matrix}.} \right. & (19) \end{matrix}$

The integers V₀ and U₀ are usually referred to as the symmetric and antisymmetric to components of the pair (r₀, s₀), respectively. In general, in the search for (U₀, V₀), all values of α in the interval 1≤α<p may need to be tested.

The complexity of the problem is reduced in the cases when

$\begin{matrix} \left\{ {\begin{matrix} {\alpha \equiv {\beta\left( {{mod}\; p} \right)}} \\ {{\alpha \cdot \beta} \equiv {N_{0}\left( {{mod}\; p^{2}} \right)}} \end{matrix}.} \right. & (20) \end{matrix}$

In such cases V₀≡0 (mod p).

In order to realize this situation, it is possible to restate the problem of factoring N₀ into the problem of factoring some integer N which satisfies (20). To this end, select a prime p such that N₀ is a non-quadratic residue modulo p. It will be p^(n) ⁰ ⁻¹<N₀<p^(n) ⁰ , for some integer n₀. Select a candidate value of α, say {tilde over (α)}. Then define τ by the following: N ₀≡τ·{tilde over (α)}² (mod p ²).  (21)

Let {tilde over (τ)} denote the least positive residue of (21) modulo p². Then β≡{tilde over (τ)}·{tilde over (α)} (mod p). Since N₀ is a non-quadratic residue modulo p, so is {tilde over (τ)}. If {tilde over (τ)} is odd, define the integer N by the following N={tilde over (τ)}·N ₀  (22) where, for some integer n, p^(n−1)<N<p^(n). Then N is a quadratic residue modulo p and N≡{tilde over (τ)} ²·{tilde over (α)}² (mod p ²).  (23) If p=4·k+1, then {tilde over (τ)}≢±1 (mod p) for all {tilde over (α)} and {tilde over (τ)}²≢1 (mod p).

The integer {tilde over (τ)}²·{tilde over (α)}² can be partitioned into the product of {tilde over (τ)}·{tilde over (α)} by {tilde over (τ)}·α or −{tilde over (τ)}·{tilde over (α)} by −{tilde over (τ)}·{tilde over (α)}, yielding

$\begin{matrix} \left\{ {\begin{matrix} {r = {{\overset{\sim}{\tau} \cdot \overset{\sim}{\alpha}} + {U \cdot p} + {V \cdot p^{2}}}} \\ {s = {{\overset{\sim}{\tau} \cdot \overset{\sim}{\alpha}} - {U \cdot p} + {V \cdot p^{2}}}} \end{matrix},} \right. & (24) \end{matrix}$ where

$\begin{matrix} \left\{ \begin{matrix} {r = {\overset{\sim}{\tau} \cdot r_{0}}} \\ {s = s_{0}} \end{matrix} \right. & (25) \end{matrix}$ and where U and V denote integers. Similar relationships hold if r≡s≡−{tilde over (τ)}·{tilde over (α)} (mod p). Notice that, if U>0, r>s.

In the case of (24), it will be

$\begin{matrix} \left\{ {\begin{matrix} {Y = {{\overset{\sim}{\tau} \cdot \overset{\sim}{\alpha}} + {V \cdot p^{2}}}} \\ {X = {U \cdot p}} \end{matrix}.} \right. & (26) \end{matrix}$

Also, since {tilde over (τ)} is odd,

$\begin{matrix} \left\{ {\begin{matrix} {Y = \frac{{\overset{\sim}{\tau} \cdot r_{0}} + s_{0}}{2}} \\ {X = \frac{{\overset{\sim}{\tau} \cdot r_{0}} - s_{0}}{2}} \end{matrix}.} \right. & (27) \end{matrix}$

The factorization problem requires the identification of a pair (Ũ, {tilde over (V)}) such that, for the corresponding ({tilde over (r)}, {tilde over (s)}), is it N={tilde over (r)}·{tilde over (s)}.  (28) If, using the given {tilde over (α)}, the algorithm were successful in factoring N, then {tilde over (r)} would be divisible by {tilde over (τ)} and {tilde over (r)}/{tilde over (τ)}=r₀. NOTE 1: There is the possibility that {tilde over (τ)}·{tilde over (α)} be divisible by some integer t₁=1+h·p with 0<h<p. In this case, the product {tilde over (τ)}²·{tilde over (α)}² may be partitioned into the pair

$\left( {\frac{\overset{\sim}{\tau} \cdot \overset{\sim}{\alpha}}{t_{1}},{t_{1} \cdot \overset{\sim}{\tau} \cdot \overset{\sim}{\alpha}}} \right),$ which satisfies the second of (20). This case will not be considered here because the pair (X, Y) would not be represented as in (26). It should be noted that the proposed restatement of the problem is motivated by the convenience of using search tools such as (24) and (26), which operate on lattices of rectangular cells of sides p and p². NOTE 2: In general, all the values of a should be tested. Since N₀ is a non-quadratic residue modulo p, it is sufficient to test the values of a which are non-quadratic residues modulo p.

NOTE 3: In order to avoid singular cases, it is convenient to select p in such a way that, for all non-quadratic residues modulo p, it is α²≢1(mod p²).  (29) Such is the case when 2 is a primitive root modulo p. The prime p was selected of the form 4·k+1. Also, it has been shown that the integer 2 is a primitive of the primes of the form 8·h±3 [3, p.79]. Therefore, 2 is a primitive of the primes defined by 8·h±3=4·k+1  (30) or p=4·ODD+1.  (31)

NOTE 4: In general, in (24) the product {tilde over (τ)}·{tilde over (α)} can be replaced by any integer A such that A≡{tilde over (τ)}·{tilde over (α)} (mod p²) and N={tilde over (τ)}·N₀≡A² (mod p²). In particular, such is the case when N≡{tilde over (τ)} ²·{tilde over (α)}²(mod p ²) ≡Ã ²(mod p ²).  (32) Consider the expression of Y when Ã is used in lieu of {tilde over (τ)}·{tilde over (α)}: Y={tilde over (τ)}·{tilde over (α)}+V·p ² =Ã+V ₁ ·p ²  (33) for some integer V₁. Recall that, by (16), √{square root over (N)}<Y<N.  (34) There are two significant particular cases: If Ã<√{square root over (N)}, then V₁>0. Also, if Ã>N, then V₁<0. Throughout this presentation, Ã will be greater than N. For simplicity of notation, the integer V will be constrained to be positive. Then (24) takes the following form:

$\begin{matrix} \left\{ {\begin{matrix} {\overset{\sim}{A} > N} \\ {r = {\overset{\sim}{A} + {U \cdot p} - {V \cdot p^{2}}}} \\ {s = {\overset{\sim}{A} - {U \cdot p} - {V \cdot p^{2}}}} \end{matrix}.} \right. & (35) \end{matrix}$ NOTE 5: A particular definition of N can be produced when τ is computed modulo p^(n) ⁰ . In this case, define the integer to T₀ by the following: N ₀ ≡T ₀·α²(mod p^(n) ⁰ ).  (36) Let {tilde over (T)}₀ denote the least positive residue of T₀ modulo p^(n) ⁰ . It will be {tilde over (T)} ₀≡N₀·α⁻² (mod p^(n) ⁰ ) ≡{tilde over (τ)}(mod p ²).  (37) If {tilde over (T)}₀ is odd let

$\begin{matrix} \left\{ {\begin{matrix} {N_{T_{0}} = {{\overset{\sim}{T}}_{0} \cdot N_{0}}} \\ {p^{n_{T_{0}} - 1} < N_{T_{0}} < p^{n_{T_{0}}}} \\ {r = {{\overset{\sim}{T}}_{0} \cdot r_{0}}} \\ {s = s_{0}} \end{matrix}.} \right. & (38) \end{matrix}$ In this case, the magnitude of N_(T) ₀ is of the order of N₀ ². NOTE 6: Consider the case where, after the selection of p and {tilde over (α)}, the integer U is selected or computed to be U≡ũ_(1, 1)(mod p). In this case it would be possible to define an integer {tilde over (τ)}₂ as the least positive solution of the following: N ₀ ≡τ ₂·({tilde over (α)}+ũ _(1, 1) ·p)²(mod p ⁴).  (39) Then N could be defined as follows: N={tilde over (τ)} ₂ ·N ₀ =({tilde over (τ)}₂ ·r ₀)·s ₀  (40) and (24) could be replaced by the following:

$\begin{matrix} \left\{ {\begin{matrix} {r = {{{\overset{\sim}{\tau}}_{2} \cdot \left( {\overset{\sim}{\alpha} + {{\overset{\sim}{u}}_{1,1} \cdot p}} \right)} + {U_{2} \cdot p^{2}} + {V_{4} \cdot p^{4}}}} \\ {s_{0} = {{{\overset{\sim}{\tau}}_{2} \cdot \left( {\overset{\sim}{\alpha} + {{\overset{\sim}{u}}_{1,1} \cdot p}} \right)} - {U_{2} \cdot p^{2}} + {V_{4} \cdot p^{4}}}} \end{matrix},} \right. & (41) \end{matrix}$ for some integers U₂ and V₄. NOTE 7: There is the possibility that the solution {tilde over (τ)} of (21) be even. In this case, let τ=p ²−{tilde over (τ)} >0.  (42) Then τ is odd. Thus, −τ may be used in lieu of {tilde over (τ)} in (22) and in (24). As an example, let N₀=73·71=5,183. If p=29, 73=15+2·p and 71=13+2·p. For {tilde over (α)}=15, τ is defined by N₀≡τ·15² (mod p²). The least positive solution is {tilde over (τ)}=722. It will be τ=p²−τ=119. Then −N₀≡(p²−{tilde over (τ)})·15 ² (mod p²) and −N₀·(p²−{tilde over (τ)})≡(p²−{tilde over (τ)})²·15² (mod p²). Therefore, in this case, define N=−(p ²−{tilde over (τ)})·N ₀.  (43) Then (24) takes the following form

$\begin{matrix} \left\{ \begin{matrix} {r = {{\left( {p^{2} - \overset{\sim}{\tau}} \right) \cdot \overset{\sim}{\alpha}} + {U \cdot p} + {V \cdot p^{2}}}} \\ {s = {{\left( {p^{2} - \overset{\sim}{\tau}} \right) \cdot \overset{\sim}{\alpha}} - {U \cdot p} + {V \cdot p^{2}}}} \end{matrix} \right. & (44) \end{matrix}$ where

$\begin{matrix} \left\{ {\begin{matrix} {r = {\left( {p^{2} - \overset{\sim}{\tau}} \right) \cdot r_{0}}} \\ {s = {- s_{0}}} \end{matrix}.} \right. & (45) \end{matrix}$

Consider an algorithm which determines the pair (r, s) by successive approximations. In particular, consider the case when a candidate solution of s is determined sequentially modulo p, p², . . . , p^(k). In such a case, it is convenient to verify, at each step, whether a proposed candidate solution yields a divisor of N₀. Let ŝ denote the least positive residue of s modulo p^(k). Then let ŝ₀=p^(k)−ŝ and verify whether gcd (ŝ₀, N₀)≠1.

In this presentation, without loss of generality, it will be assumed that {tilde over (τ)} is a positive odd integer.

VII. A NOTE ON THE REPRESENTATION OF N

Given p^(n−1)<N<p^(n), where N is a quadratic residue modulo p, let

$\begin{matrix} {{N = {\sum\limits_{i = 0}^{n - 1}{v_{i} \cdot p^{i}}}},} & (46) \end{matrix}$ where {v_(i)} denote integers, and 0≤v_(i)≤p.

It is desired to compute a solution of the following: N≡A ²(mod p ^(n))  (47) where

$\begin{matrix} {{A \equiv {\sum\limits_{i = 0}^{n - 1}{a_{i} \cdot {p^{i}\left( {{mod}\; p^{n}} \right)}}}},} & (48) \end{matrix}$ and where 0≤α_(i) <p.  (49)

Subject to (49), the solution of (47) is provided by the following:

$\begin{matrix} \left\{ {\begin{matrix} {v_{0} \equiv a_{0}^{2}} & \left( {{mod}\mspace{14mu} p} \right) \\ {v_{1} \equiv {{2 \cdot a_{0} \cdot a_{1}} + \frac{a_{0}^{2} - v_{0}}{p}}} & \left( {{mod}\mspace{14mu} p} \right) \\ {v_{2} \equiv {{2 \cdot a_{0} \cdot a_{2}} + a_{1}^{2} + \frac{{RH}_{1} - {LH}_{1}}{p}}} & \left( {{mod}\mspace{14mu} p} \right) \\ \ldots & \; \\ {v_{i} \equiv {{\sum\limits_{k = 0}^{t}{a_{k} \cdot a_{i - k}}} + \frac{{RH}_{i - 1} - {LH}_{t - 1}}{p}}} & \left( {{mod}\mspace{14mu} p} \right) \\ \ldots & \; \\ {v_{n - 1} \equiv {{\sum\limits_{k = 0}^{n - 1}{a_{k} \cdot a_{n - k}}} + \frac{{RH}_{n - 2} - {LH}_{n - 2}}{p}}} & \left( {{mod}\mspace{14mu} p} \right) \end{matrix},} \right. & (50) \end{matrix}$ where RH_(i) and LH_(i) denote the RHS and LHS, respectively, of the congruence containing v_(i).

The terms (RH_(i)−LH_(i))/p are usually referred to as carries. They are caused by the constraint (49) and flow from the less significant digits to the more significant ones.

As an example, consider the problem of solving N≡A ² (mod p ⁵),  (51) where N is a quadratic residue modulo p. Assume p=13 and

$\begin{matrix} {\begin{matrix} {N = {\sum\limits_{t = 0}^{4}{v_{i} \cdot p^{i}}}} \\ {= {10 + {2 \cdot p} + {10 \cdot p^{2}} + {5 \cdot p^{3}} + {0 \cdot p^{4}}}} \\ {= {12\text{,}711}} \end{matrix}.} & (52) \end{matrix}$ If 0≤α_(i)<p, a solution of (51), say Ã, can be represented as follows: Ã=6+0·p+3·p ²+10·p ³+5·p ⁴.  (53) A second solution of (51) occurs when {tilde over (α)}₀=6 is replaced by α ₀=p−{tilde over (α)}₀=7. In this case Ā=7+12·p+9·p ²+2·p ³+7·p ⁴.  (54)

Consider removing the magnitude constraints (49) from all α_(i) and representing A as A≡ω ₀+ω₁ ·p+ω ₂ ·p ²+ω₃ ·p ³ω₄ ·p ⁴ (mod p ⁵),  (55) where the coefficients of any power of p are positive integers and are constrained by the following conditions: 0<ω_(i) <p ^(n−i).  (56) Then the congruence (51) can be satisfied if the sum of the coefficients of any power of p, say p^(i), is congruent to zero modulo p^(5−i). Specifically, in the example , it must be

$\begin{matrix} \left\{ {\begin{matrix} {v_{0} \equiv {\omega_{0}^{2}\mspace{14mu}\left( {{mod}\mspace{14mu} p^{5}} \right)}} \\ {{v_{1} \cdot p} \equiv {{2 \cdot \omega_{0} \cdot \omega_{1} \cdot p}\mspace{14mu}\left( {{mod}\mspace{14mu} p^{5}} \right)}} \\ {{v_{2} \cdot p^{2}} \equiv {{\omega_{1}^{2} \cdot p^{2}} + {{2 \cdot \omega_{0} \cdot \omega_{2} \cdot p^{2}}\mspace{14mu}\left( {{mod}\mspace{14mu} p^{5}} \right)}}} \\ {{v_{3} \cdot p^{3}} \equiv {{2 \cdot \omega_{1} \cdot \omega_{2} \cdot p^{3}} + {{2 \cdot \omega_{0} \cdot \omega_{3} \cdot p^{3}}\mspace{14mu}\left( {{mod}\mspace{14mu} p^{5}} \right)}}} \\ {{v_{4} \cdot p^{4}} \equiv {{\omega_{2}^{2} \cdot p^{4}} + {2 \cdot \omega_{1} \cdot \omega_{3} \cdot p^{4}} + {{2 \cdot \omega_{0} \cdot \omega_{4}}\mspace{14mu}\left( {{mod}\mspace{14mu} p^{5}} \right)}}} \end{matrix}.} \right. & (57) \end{matrix}$

In the example, consider the condition 10≡ω₀ ² (mod p ⁵).  (58) For ω₀≡6 (mod p), the least positive solution, say {tilde over (ω)}₀, is {tilde over (ω)}₀=181,200. For ω ₀≡p−6≡7 (mod p), it is ω ₀=190,043. To satisfy the second of (57) when {tilde over (ω)}₀=181,200, it must be 2·p≡2·{tilde over (ω)}₀·ω₁ ·p (mod p ⁵). The least positive solution, say {tilde over (ω)}₁, is {tilde over (ω)}₁=18,120. Thereafter, from the third of (57), let 10·p ²≡({tilde over (ω)}₁ ²+2·{tilde over (ω)}₀·ω₂)·p ² (mod p ⁵), whence {tilde over (ω)}₂=1,814. Likewise, from the fourth of (57), let 5·p ³≡2·{tilde over (ω)}₁·{tilde over (ω)}₂ ·p ³+2·{tilde over (ω)}₀·ω₃ ·p ³ (mod p ⁵), whence {tilde over (ω)}₃=97. Finally, from the fifth of (57), let 0·p ⁴≡ω₂ ² ·p ⁴+2·ω₁·ω₃ ·p ⁴+2·ω₀·ω₄ ·p ⁴ (mod p ⁵), whence {tilde over (ω)}₄=12. Then N≡(181,200+18,120·p+1,814·p ²+97·p ³+12·p ⁴)² (mod p ⁵).  (59) Proceeding in a similar fashion with ω ₀=190,093, it is N≡(190,093+10,441·p+383·p ²+72·p ³+1·p ⁴)² (mod p ⁵).  (60)

Comparison of the resulting {tilde over (ω)}_(i) with the corresponding ω _(i) yields

$\begin{matrix} \left\{ \begin{matrix} {{{\overset{\sim}{\omega}}_{i} + {\overset{\_}{\omega}}_{i}} = p^{5 - i}} \\ {0 < {\overset{\sim}{\omega}}_{i} < p^{6 - i}} \end{matrix} \right. & (61) \end{matrix}$ or ({tilde over (ω)}_(i)+ω _(i))·p ^(i) =p ⁵.  (62) Thus, in the example, 181,200+190,093=p ⁵ 18,120+10,441=p ⁴ 1,814+383=p ³ 97+72=p ² 12+1=p  (63) and Ã+Ā=5·p ⁵.  (64) Notice that, when Ã and Ā are subject to the constraint (49), as in (53) and (54), their sum equals p⁵.

Comparing the representations of Ã by (59) and (53), it can be stated that the representation proposed by (59) entails an equipartition of weight among the 5 degrees of freedom of (55).

NOTE 1: In the example, each coefficient {tilde over (ω)}_(i) of Ã is computed modulo p^(5−i). If the magnitude constraint (49) were to be applied to the coefficients on the RHS of (59) and (60), the coefficients ω_(i) would be reduced modulo p and the structure (57) would be demolished. In practice, the integer N, as represented on the RHS of (59) and (60), should be treated as a polynomial in some integer variable u, say P(u), where P(u) happens to be computed at u=p. NOTE 2: In (55) the representation of the coefficients to, is arbitrary. In (59) and (60) such coefficients are represented in base 10. They may be represented in any other base, such as p. NOTE 3: It should be noted that in (51) p⁴<N<p⁵ and in (55) A is being defined modulo p⁵. In general, such may not be the case. It is possible that A be defined modulo a larger power of p, depending on the requirements of the problem on hand. A similar situation occurs in the domain of irrational numbers, such as √{square root over (2)}. √{square root over (2)} may be computed with a large number of decimal digits, depending on the precision required by the problem on hand. No harm is done if the precision of the computed value of √{square root over (2)} is greater than needed. As an example, consider the case when p=13 and N₁<p². Assume that N₁=ν₀+ν₁·p=10+2·p. It is desired to solve N ₁ ≡A ² (mod p ⁵).  (65) In this case the integers ω_(i) are defined by the following:

$\begin{matrix} \left\{ {\begin{matrix} {v_{0} \equiv {\omega_{0}^{2}\left( {{mod}\mspace{14mu} p^{5}} \right)}} \\ {{v_{1} \cdot p} \equiv {2 \cdot \omega_{0} \cdot \omega_{1} \cdot {p\left( {{mod}\mspace{14mu} p^{5}} \right)}}} \\ {0 \equiv {{\omega_{1}^{2} \cdot p^{2}} + {2 \cdot \omega_{0} \cdot \omega_{2} \cdot {p^{2}\left( {{mod}\mspace{14mu} p^{5}} \right)}}}} \\ {0 \equiv {{2 \cdot \omega_{1} \cdot \omega_{2} \cdot p^{3}} + {2 \cdot \omega_{0} \cdot \omega_{3} \cdot {p^{3}\left( {{mod}\mspace{14mu} p^{5}} \right)}}}} \\ {0 \equiv {{2 \cdot \omega_{1} \cdot \omega_{3} \cdot p^{4}} + {2 \cdot \omega_{0} \cdot \omega_{4} \cdot p^{4}} + {\omega_{2}^{2} \cdot {p^{4}\left( {{mod}\mspace{14mu} p^{5}} \right)}}}} \end{matrix}.} \right. & (66) \end{matrix}$ For ω₀≡6 (mod p), the result is N ₁10+2·p≡(181,200+18,120·p+1,291·p ²+23·p ³+2·p ⁴)² (mod p ⁵).  (67) Compare with (59). NOTE 4: As a further application of this method of representation of integers, consider the problem of computing Ã⁻¹ (mod p⁵) when Ã is defined as in (55). Let Ã ⁻¹ ≡w ₀ +w ₁ ·p+w ₂ ·p ² +w ₃ ·p ³ +w ₄ ·p ⁴(mod p)  (68) and Ã·Ã ⁻¹≡1(mod p ⁵).  (69) The coefficients w_(i) should be defined as the least positive solutions of the following:

$\begin{matrix} \left\{ {\begin{matrix} {{{\overset{\sim}{\omega}}_{0} \cdot w_{0}} \equiv {1\left( {{mod}\mspace{14mu} p^{5}} \right)}} \\ {{{{\overset{\sim}{\omega}}_{0} \cdot w_{1}} + {{\overset{\sim}{\omega}}_{1} \cdot {\overset{\sim}{w}}_{0}}} \equiv {0\left( {{mod}\mspace{14mu} p^{4}} \right)}} \\ {{{{\overset{\sim}{\omega}}_{0} \cdot w_{2}} + {{\overset{\sim}{\omega}}_{1} \cdot {\overset{\sim}{w}}_{1}} + {{\overset{\sim}{\omega}}_{2} \cdot {\overset{\sim}{w}}_{0}}} \equiv {0\left( {{mod}\mspace{14mu} p^{3}} \right)}} \\ {{{{\overset{\sim}{\omega}}_{0} \cdot w_{3}} + {{\overset{\sim}{\omega}}_{1} \cdot {\overset{\sim}{w}}_{2}} + {{\overset{\sim}{\omega}}_{2} \cdot {\overset{\sim}{w}}_{1}} + {{\overset{\sim}{\omega}}_{3} \cdot {\overset{\sim}{w}}_{0}}} \equiv {0\left( {{mod}\mspace{14mu} p^{2}} \right)}} \\ {{{{\overset{\sim}{\omega}}_{0} \cdot w_{4}} + {{\overset{\sim}{\omega}}_{1} \cdot {\overset{\sim}{w}}_{3}} + {{\overset{\sim}{\omega}}_{2} \cdot {\overset{\sim}{w}}_{2}} + {{\overset{\sim}{\omega}}_{3} \cdot {\overset{\sim}{w}}_{1}} + {{\overset{\sim}{\omega}}_{4} \cdot {\overset{\sim}{w}}_{0}}} \equiv {0\left( {{mod}\mspace{14mu} p} \right)}} \end{matrix}.} \right. & (70) \end{matrix}$ In the example, Ã⁻¹≡18,120+26,749·p+1,590·p²+73·p³+9·p⁴ (mod p⁵). The product Ã·Ã⁻¹ also contains the following terms:

$\begin{matrix} \left\{ {\begin{matrix} {{\left( {{\omega_{1} \cdot w_{4}} + {\omega_{2} \cdot w_{3}} + {\omega_{3} \cdot w_{2}} + {\omega_{4} \cdot w_{1}}} \right) \cdot p^{5}} = {347\text{,}{391 \cdot p^{5}}}} \\ {{\left( {{{\overset{\sim}{\omega}}_{2} \cdot {\overset{\sim}{w}}_{4}} + {{\overset{\sim}{\omega}}_{3} \cdot {\overset{\sim}{w}}_{3}} + {{\overset{\sim}{\omega}}_{4} \cdot {\overset{\sim}{w}}_{2}}} \right) \cdot p^{6}} = {15\text{,}{478 \cdot p^{6}}}} \\ {{\left( {{{\overset{\sim}{\omega}}_{3} \cdot {\overset{\sim}{w}}_{4}} + {{\overset{\sim}{\omega}}_{4} \cdot {\overset{\sim}{w}}_{3}}} \right) \cdot p^{7}} = {353 \cdot p^{7}}} \\ {{{\overset{\sim}{\omega}}_{4} \cdot {\overset{\sim}{w}}_{4} \cdot p^{8}} = {18 \cdot p^{8}}} \end{matrix}.} \right. & (71) \end{matrix}$

VIII. THE ROADMAP.

1) Introduction. Definition of M.

Given p and N, select Ã as one of the solutions of (47) modulo p^(n), computed using the procedure described in Section VII. Assume Ã>p^(n) (64).

Then, using (35), let N≡Ã ² −U ² ·p ²−2·Ã·V·p ² +V ² ·p ⁴,  (72) where

$\begin{matrix} \left\{ {\begin{matrix} {\overset{\sim}{A} = {\sum\limits_{i = 0}^{n - 1}{{\overset{\sim}{\omega}}_{i} \cdot p^{i}}}} \\ {U = {\sum\limits_{i = 1}^{n - 1}{u_{i} \cdot p^{i - 1}}}} \\ {V = {\sum\limits_{i = 2}^{n - 1}{\upsilon_{i} \cdot p^{i - 2}}}} \end{matrix}.} \right. & (73) \end{matrix}$

Referring to (59), recall that each ω_(i) can be represented as

$\begin{matrix} {\omega_{i} = {\sum\limits_{k = 0}^{n - 1 - i}{\omega_{i,k} \cdot {p^{k}.}}}} & (74) \end{matrix}$ Also,

$\begin{matrix} \left\{ \begin{matrix} {u_{i} = {\sum\limits_{k = 1}^{n - 1 - i}{u_{i,k} \cdot p^{k - 1}}}} \\ {{\upsilon_{i} = {\sum\limits_{k = 1}^{n - 1 - i}\upsilon_{i,k}}}{\cdot p^{k - 2}}} \end{matrix} \right. & (75) \end{matrix}$ and

$\begin{matrix} \left\{ {\begin{matrix} {U_{i,j} = {\sum\limits_{k = 1}^{j}{u_{i,k} \cdot p^{k - 1}}}} \\ {V_{i,j} = {\sum\limits_{k = 1}^{j}{\upsilon_{i,k} \cdot p^{k - 2}}}} \end{matrix}.} \right. & (76) \end{matrix}$ Then

$\begin{matrix} \left\{ {\begin{matrix} {r \equiv {\overset{\sim}{A} + {u_{1} \cdot p} + {\left( {{- \upsilon_{2}} + u_{2}} \right) \cdot p^{2}} + {\left( {{- \upsilon_{3}} + u_{3}} \right) \cdot p^{3}} + \ldots +}} \\ {\left( {{- \upsilon_{n - 1}} + u_{n - 1}} \right) \cdot {p^{n - 1}\left( {{mod}\mspace{14mu} p^{n}} \right)}} \\ {s \equiv {\overset{\sim}{A} - {u_{1} \cdot p} + {\left( {{- \upsilon_{2}} - u_{2}} \right) \cdot p^{2}} + {\left( {{- \upsilon_{3}} - u_{3}} \right) \cdot p^{3}} + \ldots +}} \\ {\left( {{- \upsilon_{n - 1}} - u_{n - 1}} \right) \cdot {p^{n - 1}\left( {{mod}\mspace{14mu} p^{n}} \right)}} \end{matrix}.} \right. & (77) \end{matrix}$

The representation (77) of r and s accounts for the fact that both r and s are smaller than p^(n). However, using (77), the product of r by s contains powers of p greater than p^(n), actually as high as p^(2·n−2).

In order to uncover the properties which relate the coefficients of (77), it is necessary to compute, and represent without loss of information, the multiples of any p^(i) which results from the multiplication of r by s. To this end a new modulus is introduced, namely p^(M), where

$\begin{matrix} {{M = {\left( {{2 \cdot n} - 2} \right) + 1}}.} & (78) \end{matrix}$ It should be noticed that: 1) M is always odd. 2) If n=2·{tilde over (k)}+1, then M=4·{tilde over (k)}+1. 3) The use of M does not affect the magnitude of N. If N<p^(n), it can be represented as follows:

$\begin{matrix} \left\{ {\begin{matrix} {N = {\sum\limits_{i = 0}^{n - 1}{v_{i} \cdot p^{i}}}} \\ {v_{i} = {{{0\mspace{14mu}{for}\mspace{14mu} n} - 1} < i \leq {M - 1}}} \end{matrix}.} \right. & (79) \end{matrix}$ 4) When M is employed in lieu of n, Ã should be computed as a solution of the following: N≡A ² (mod p ^(M)).  (80) 5) s=s₀ and r>s₀. 6) A comparable result is achieved when {tilde over (T)}₀ is employed in lieu of {tilde over (τ)}. 2) The Approach

In the case where (79) is employed, reduction of (77) modulo p³ yields

$\begin{matrix} {{\frac{N - {\overset{\sim}{A}}^{2}}{p^{M}} \cdot p^{M}} \equiv {\left( {{- u_{1}^{2}} - {2 \cdot \overset{\sim}{A} \cdot \upsilon_{2}}} \right) \cdot {{p^{2}\left( {{mod}\mspace{14mu} p^{3}} \right)}.}}} & (81) \end{matrix}$

Then, if the pair (ũ₁, {tilde over (ν)}₂) is a solution of (81) modulo p, it is

$\begin{matrix} {{{\frac{N - {\overset{\sim}{A}}^{2}}{p^{M}} \cdot p^{M}} + {\left( {\frac{{\overset{\sim}{u}}_{1}^{2} + {2 \cdot \overset{\sim}{A} \cdot {\overset{\sim}{\upsilon}}_{2}}}{p} \cdot p} \right) \cdot p^{2}}} \equiv {\left( {{{- 2} \cdot {\overset{\sim}{u}}_{1} \cdot u_{2}} - {2 \cdot \overset{\sim}{A} \cdot \upsilon_{3}}} \right) \cdot {{p^{3}\left( {{mod}\mspace{14mu} p^{4}} \right)}.}}} & (82) \end{matrix}$

The LHS of this congruence contains a contribution to the set of multiples of p³. This contribution is usually denoted as a “carry”. The flow of carries from one digit to the higher powers of p increases the complexity of the factorization problem. The flow of carries would be controlled better if (81) were solved modulo p^(M) and the pair (u₁ ², ν₂) were defined modulo p^(M−2). In this case (82) could take the following form:

$\begin{matrix} {{{\frac{N - {\overset{\sim}{A}}^{2}}{p^{M}} \cdot p^{M}} + {\left( {\frac{{\overset{\sim}{u}}_{1}^{2} + {2 \cdot \overset{\sim}{A} \cdot {\overset{\sim}{\upsilon}}_{2}}}{p^{M - 2}} \cdot p^{M - 2}} \right) \cdot p^{2}}} \equiv {\left( {{{- 2} \cdot {\overset{\sim}{u}}_{1} \cdot u_{2}} - {2 \cdot \overset{\sim}{A} \cdot \upsilon_{3}}} \right) \cdot {{p^{3}\left( {{mod}\mspace{14mu} p^{4}} \right)}.}}} & (83) \end{matrix}$

This approach would require replacing the magnitude constraints (49) from the elements of {u_(i)} and {ν_(i)} and assuring that the RHS of congruences such as (83) include all the terms which are multiples of any given p^(i). Following this procedure, still there would be carries, as shown on the LHS of (83). However, such carries would flow from any given congruence directly into a pool of multiples of p^(M).

The plan of this presentation consists of analyzing each of the terms of (72) with the appropriate definition of Ã and resolving them into the sum of powers of p. Then, for any given power of p, say p^(i), add all the coefficients of p^(i) which are produced by Ã²−N, −2·Ã·(Ã−Y), (Ã−Y)² and −X² and place the condition that their sum be congruent to zero modulo p^(M−i).

3) The Integer Ã²−N

Let Ã be defined as in (73), where the integers {tilde over (ω)}_(i) are determined using the procedure illustrated in Section VII. Thus, for i<M,

$\begin{matrix} \left\{ {\begin{matrix} {v_{0} \equiv {\omega_{0}^{2}\left( {{mod}\mspace{14mu} p^{M}} \right)}} \\ {v_{1} \equiv {2 \cdot {\overset{\sim}{\omega}}_{0} \cdot {\omega_{1}\left( {{mod}\mspace{14mu} p^{M - 1}} \right)}}} \\ {v_{2} \equiv {{\overset{\sim}{\omega}}_{1}^{2} + {2 \cdot {\overset{\sim}{\omega}}_{0} \cdot {\omega_{2}\left( {{mod}\mspace{14mu} p^{M - 2}} \right)}}}} \\ \ldots \\ {v_{M - 1} \equiv {{\sum\limits_{k = 1}^{M - 2}{{\overset{\sim}{\omega}}_{k} \cdot {\overset{\sim}{\omega}}_{M - 1 - k}}} + {2 \cdot {\overset{\sim}{\omega}}_{0} \cdot {\omega_{M - 1}\left( {{mod}\mspace{14mu} p} \right)}}}} \end{matrix},} \right. & (84) \end{matrix}$ where

$\begin{matrix} \left\{ {\begin{matrix} {\omega_{0} \equiv {{\pm \overset{\sim}{\tau}} \cdot {\overset{\sim}{\alpha}\left( {{mod}\mspace{14mu} p} \right)}}} \\ {{\omega_{0} + {\omega_{1} \cdot p}} \equiv {{\pm \overset{\sim}{\tau}} \cdot {\overset{\sim}{\alpha}\left( {{mod}\mspace{14mu} p^{2}} \right)}}} \end{matrix}.} \right. & (85) \end{matrix}$ In fact, N≡{tilde over (τ)}²·{tilde over (α)}² (mod p²) and also N≡(ω₀+ω₁·p)² (mod p²).

Consider then the integer Ã²−N. As an illustration, refer to FIG. 1. The headings of the rows and columns represent the coefficients {tilde over (ω)}_(i) of Ã. Multiplication of Ã by Ã generates the products {tilde over (ω)}_(i)·{tilde over (ω)}_(j) which are represented by the cells of FIG. 1. Cells on any given line of slope 1 contribute to the coefficient of the same power of p.

Let LH_(i) and RH_(i) denote the LHS and the RHS, respectively, of the congruence containing ν_(i). For i<M each (LH_(i)−RH_(i)), multiplied by the corresponding p^(i), contributes to the resulting polynomial a known multiple of p^(M). In fact,

$\begin{matrix} {{\left( {\frac{{LH}_{i} - {RH}_{i}}{p^{M - i}} \cdot p^{M - i}} \right) \cdot p^{i}} \equiv {0{\left( {{mod}\mspace{14mu} p^{M}} \right).}}} & (86) \end{matrix}$

For i>M, Ã² contains terms of degree greater than p^(M). The highest power of p in Ã²−N is p^(2·M−2). In fact, the highest power of p in Ã is p^(M−1). After squaring, the highest power in this representation of Ã² is p^(2·M−2).

Therefore, for i−M+j, and j≥0, Ã²−N contains multiples of p^(M+j), say p^(M+j). Q_(j), where

$\begin{matrix} {Q_{j} = {\sum\limits_{k = 1}^{M - j - 1}{{\overset{\sim}{\omega}}_{M - k} \cdot {{\overset{\sim}{\omega}}_{k + j}.}}}} & (87) \end{matrix}$

The total contribution, for all j≥0, is

$\begin{matrix} {{p^{M} \cdot Q} \equiv {p^{M} \cdot {\sum\limits_{i = 0}^{M - 2}{p^{j} \cdot {Q_{j}.}}}}} & (88) \end{matrix}$

As a conclusion:

1) For i<M, by (84), (ν_(i) −RH _(i))·p ^(i)≡0 (mod p ^(m)).  (89)

2) For i=M each of the terms on the corresponding line of slope 1 is a coefficient of p^(M).

3) For i>M each of the terms on the corresponding line of slope 1 is a coefficient of p^(M)·p^(j), where 0<j=i−M. Refer to FIG. 1.

In particular, in the example (59), it is

$\begin{matrix} \left\{ {\begin{matrix} {{\left( {{2 \cdot \omega_{1} \cdot \omega_{4}} + {2 \cdot \omega_{2} \cdot \omega_{3}}} \right) \cdot p^{5}} = {786796 \cdot p^{5}}} \\ {{\left( {{2 \cdot \omega_{2} \cdot \omega_{4}} + \omega_{3}^{2}} \right) \cdot p^{6}} = {52945 \cdot p^{6}}} \\ {{\left( {2 \cdot \omega_{3} \cdot \omega_{4}} \right) \cdot p^{7}} = {2328 \cdot p^{7}}} \\ {{\omega_{4}^{2} \cdot p^{8}} = {144 \cdot p^{8}}} \end{matrix}.} \right. & (90) \end{matrix}$ 4) The Relationship Between ν_(i) and u_(i−1) when u₁≢0 (mod p)

Consider the representation of the pair (r, s) as in (77), where Ã is constructed as described in Section VII, and M is used in lieu of n. Thus, when r is multiplied by s, it is possible to group all the terms which contain any multiple of any given power of p, say p^(i), and place the condition that the sum of their coefficients be congruent to zero modulo p^(M−i).

However, by (84), resolving the integer Ã²−N into its components, the sum of the coefficients of p^(i) in (Ã²−N) equals

$\begin{matrix} {\begin{matrix} {{{\sum\limits_{k = 0}^{i}{{\overset{\sim}{\omega}}_{k} \cdot {\overset{\sim}{\omega}}_{i - k}}} - v_{i}} \equiv {0\left( {{mod}\mspace{14mu} p^{M - i}} \right)}} \\ {= {{\overset{\sim}{\eta}}_{i} \cdot p^{M - i}}} \end{matrix}.} & (91) \end{matrix}$ (η_(i) an integer).

As a result, consider the case when it is desired to express ν₆ as a function of all the u_(l)'s 1≤l≤5′, and the ν_(j)'s (2≤j≤5). It will be −(2·{tilde over (ω)}₀·ν₆+2·{tilde over (ω)}₁·ν₅+2·{tilde over (ω)}₂·ν₄+2·{tilde over (ω)}₃·ν₃+2·{tilde over (ω)}₄·ν₂)+2·ν₂·ν₄+ν₃ ²≡2·u ₁ ·u ₅+2·u ₂ ·u ₄ +u ₃ ² (mod p ^(M−6)).  (92)

This congruence defines ν₆ modulo p^(M−6) as a function of lesser degree variables. If u₁≢0 (mod p) and if all the variables of lesser degree are known, (92) defines a linear congruence between ν₆ and u₅ modulo p^(M−6). After the determination of ν₆, upon multiplication by p⁶, it will be

$\begin{matrix} {{\left( {\frac{{LH}_{6} - {RH}_{6}}{p^{M - 6}} \cdot p^{M - 6}} \right) \cdot p^{6}} \equiv {0\left( {{mod}\mspace{14mu} p^{M}} \right)}} & (93) \end{matrix}$ where LH₆ and RH₆ denote the LHS and RHS of (92), respectively. The LHS of this latter congruence is a multiple of p^(M) and does not contain any power of p greater than p^(M).

In general, for 2≤i≤M−1,

$\begin{matrix} \left\{ {\begin{matrix} {u_{1} ≢ {0\left( {{mod}\mspace{14mu} p} \right)}} \\ {2 \leq i \leq {M - 1}} \\ {{{{- 2} \cdot {\sum\limits_{k = 2}^{i}{{\overset{\sim}{\omega}}_{t - k} \cdot \upsilon_{k}}}} + {\sum\limits_{k = 2}^{i - 2}{\upsilon_{k} \cdot \upsilon_{i - k}}}} \equiv {\sum\limits_{k = 1}^{i - 1}{u_{k} \cdot {u_{i - k}\left( {{mod}\mspace{14mu} p^{M - i}} \right)}}}} \end{matrix}.} \right. & (94) \end{matrix}$ The first summation on the LHS of (94) contains terms which result from the multiplication of −2·Ã by (Ã−Y), when Ã is represented as described in Section VII. The second summation on the LHS results from (Ã−Y)². 5) The Product 2·Ã·(Ã−Y)

FIG. 2 illustrates the product Ã·(Ã−Y). The columns are headed by the coefficients ν_(i) of p^(i) in Y. The rows are headed by the coefficients {tilde over (ω)}_(j) of p^(j) in Ã.

Some of the cells represent products {tilde over (ω)}_(j)·ν_(i) which have been included in (94). Refer to (92) as an example. As a further example, the cells on the line of slope 1 which contains {tilde over (ω)}₀·ν_(M−1) and {tilde over (ω)}_(M−3)·ν₂ represent coefficients of p^(M−1) which are employed to write (94) modulo p.

The cells on the line of slope 1 which contains {tilde over (ω)}_(M−1)·ν₂ represent coefficients of p^(M+1) and are not included in (94).

The highest power of p contained in 2·Ã·(Ã−Y) is p^(2·M−2), obtained through the product of {tilde over (ω)}_(M−1)·p^(M−1)by ν_(M−1)·p^(M−1).

6) The Integer (Ã−Y)²

FIG. 3 illustrates (Ã−Y)². Rows and columns are headed by the coefficients ν_(i) of p^(i) in Y. Some of the cells represent products of ν_(i)·ν_(j) which have been included in (94). Refer to (92) as an example.

Since the largest power of p in Y is p^(M−1), (94) must also be written for i=M−1. Then the LHS of (94) must include cells representing the products ν₂·ν_(M−3), ν₃·ν_(M−4), etc. Cells representing coefficients of higher powers of p are not absorbed into (94) and contribute to Σ₀, when Σ₀ denotes the sum of all the products ν_(i)·ν_(j)·p^(i)·p^(j) which have not been absorbed as terms of any of the congruences (94). It will be

$\begin{matrix} {\underset{0}{\Sigma} = {{p^{M} \cdot \left( {{\upsilon_{2} \cdot \upsilon_{M - 2}} + {\upsilon_{3} \cdot \upsilon_{M - 3}} + \ldots + {\upsilon_{\frac{M - 1}{2}} \cdot \upsilon_{\frac{M + 1}{2}}}} \right)} + {p^{M + 1} \cdot \left( {{\upsilon_{2} \cdot \upsilon_{M - 1}} + {\upsilon_{3} \cdot \upsilon_{M - 2}} + \ldots + {\upsilon_{M - 1} \cdot \upsilon_{2}}} \right)} + {{p^{M + 2} \cdot \left( {{\upsilon_{3} \cdot \upsilon_{M - 1}} + {\upsilon_{4} \cdot \upsilon_{M - 2}} + \ldots + {\upsilon_{M - 1} \cdot \upsilon_{3}}} \right)}\mspace{14mu}\ldots} + {p^{2} \cdot p^{M - 6} \cdot \left( {{\upsilon_{M - 1} \cdot \upsilon_{M - 5}} + {\upsilon_{M - 2} \cdot \upsilon_{M - 4}} + \ldots + {\upsilon_{M - 1} \cdot \upsilon_{M - 5}}} \right)} + {{p^{2} \cdot p^{M - 5} \cdot \left( {{\upsilon_{M - 1} \cdot \upsilon_{M - 4}} + {\upsilon_{M - 2} \cdot \upsilon_{M - 3}} + \ldots + {\upsilon_{M - 4} \cdot \upsilon_{M - 1}}} \right)}\mspace{14mu}\ldots} + {p^{{2 \cdot M} - 2} \cdot {\upsilon_{M - 1}^{2}.}}}} & (95) \end{matrix}$ 7) The Integer X²

FIG. 4 illustrates X². Rows and columns are headed by the coefficients u_(i) of p^(i) in X. Some of the cells represent products u^(i)·u^(j) which have been included in (94). Refer to (92) as an example.

Since the largest power of p in X is p^(M−1), (94) must also be written for i=M−1. Then the RHS of (94) must include cells representing the products u₂·u_(M−3), u₃·u_(M−4), etc. The cells on the line of slope one which contains u₁·u_(M−1) represents multiples of p^(M). The cells on the line of slope one which contains u₂·u_(M−1) represents multiples of p^(M+1). In general, let Ξ₀ denote the sum of the products u_(i)·u_(j)·p^(i)·p^(j) which have not be absorbed as terms of any of the (94). It will be

$\begin{matrix} {\Xi_{0} = {{p^{M} \cdot \left( {{u_{1} \cdot u_{M - 1}} + {u_{2} \cdot u_{M - 2}} + \ldots + {u_{\frac{M - 1}{2}} \cdot u_{\frac{M + 1}{2}}}} \right)} + {p^{M + 1} \cdot \left( {{u_{2} \cdot u_{M - 1}} + {u_{3} \cdot u_{M - 2}} + \ldots + {u_{M - 1} \cdot u_{2}}} \right)} + {{p^{M + 2} \cdot \left( {{u_{3} \cdot u_{M - 1}} + {u_{4} \cdot u_{M - 2}} + \ldots + {u_{M - 1} \cdot u_{3}}} \right)}\mspace{14mu}\ldots} + {p^{{2 \cdot M} - 3} \cdot 2 \cdot u_{M - 2} \cdot u_{M - 1}} + {p^{{2 \cdot M} - 2} \cdot {u_{M - 1}^{2}.}}}} & (96) \end{matrix}$

Consider the case when u_(M−1)=0 and u_(M−2)≠0. In this case u₂·u_(M−1)=0. Then the line of slope one containing multiples of p^(M+1) does not contain any cell which has a coefficient of p^(M+1) dependent on u₂. Refer to FIG. 4. If u_(M−2)≠0, the sum of the coefficients of p^(M+1) includes a term dependent on u₃.

IX. THE RELATIONSHIP BETWEEN ν_(i) AND u_(i) of WHEN u_(M−1)≠0

1) The Approach

Consider the general expression of (r, s) (77). Multiply r by s modulo p^(M). Using (94), it will be

$\begin{matrix} {{{\left( {\frac{{LH}_{i} - {RH}_{i}}{p^{M - i}} \cdot p^{M - i}} \right) \cdot p^{i}} \equiv {0\left( {{mod}\mspace{14mu} p^{M}} \right)}},} & (97) \end{matrix}$ where the LH_(i) and RH_(i) denote the LHS and RHS of (94), respectively. Therefore,

$\begin{matrix} {0 = {{\frac{{\overset{\sim}{A}}^{2} - N}{p^{M}} \cdot p^{M}} + {{multiples}\mspace{14mu}{of}\mspace{14mu} p^{M}\mspace{14mu}{produced}\mspace{14mu}{by}\mspace{14mu}(97)} - {{multiples}\mspace{14mu}{of}\mspace{14mu} p^{M}\mspace{14mu}{produced}\mspace{14mu}{by}\mspace{14mu}{2 \cdot \overset{\sim}{A} \cdot \left( {\overset{\sim}{A} - Y} \right)}} + \underset{0}{\Sigma} - {\Xi_{0}.}}} & (98) \end{matrix}$

Recall that, when using (94), for i≤M−1, the multiples of p^(M) produced by (97) do not contain any power of p greater than p^(M). Thus, their presence on the RHS of (98) does not interfere with the process of analyzing the coefficients of higher powers of p.

A relationship between ν_(i) and u_(i) can be produced by placing the condition that the carriers flow from any power of p greater than p^(M), say p^(M+j)(j≥1), to higher powers of p, say p^(M+j+1). This condition implies that the sum of the coefficients of any power of p greater than p^(M) equal zero modulo p^(j) and no carry flows into p^(2·(M−1)+1).

Starting from the highest power of p, observe that in (95) the highest power of p is p^(2·M−2). In fact, Y<p^(M) and the highest power of p in Y is p^(M−1). After squaring, the highest power is p^(2·M−2). A similar situation occurs for Ã²−N, where Q _(M−2)={tilde over (ω)}_(M−1) ².  (99) Concerning the product −2·Ã·ν_(M−1), the highest power of p it contains is p^(2·M−2), with a coefficient of −2·{tilde over (ω)}_(M−1)·ν_(M−1). Then 0=p ^(M)·(Q _(M−2) ·p ^(M−2))−2·{tilde over (ω)}_(M−1)·ν_(M−1) ·p ^(2·M−2)+(ν_(M−1) ·p ^(M−1))²−(u _(M−1) ·p ^(M−1))².  (100) As a result, ({tilde over (ω)}_(M−1)−ν_(M−1))² =u _(M−1) ²,  (101) or ({tilde over (ω)}_(M−1)−ν_(M−1) −u _(M−1))·({tilde over (ω)}_(M−1)−ν_(M−1) +u _(M−1))=0.  (102) 2) The Case when {tilde over (ω)}_(M−1)−ν_(M−1)=u_(M−1)

Consider (98) in the case when u_(M−1)>0 and {tilde over (ω)}_(M−1)−ν_(M−1)=u_(M−1). The second highest power of p in Σ₀ is p^(2·M−3). The same is true in Ã²−N. In −2·Ã·(Ã−Y) the coefficient of p^(2·M−3) is −2·{tilde over (ω)}_(M−2)·ν_(M−1)·u_(M−1)−2·{tilde over (ω)}_(M−1)·ν_(M−2). Therefore, 0=2·{tilde over (ω)}_(M−1)·{tilde over (ω)}_(M−2)−2·{tilde over (ω)}_(M−1)·ν_(M−2)−2·{tilde over (ω)}_(M−2)·ν_(M−1)+2·ν_(M−1)·ν_(M−2)−2·u _(M−1) ·u _(M−2)  (103) or 2·({tilde over (ω)}_(M−1)−ν_(M−1))·({tilde over (ω)}_(M−2)−ν_(M−2))=2u _(M−1) ·u _(M−2).  (104) By (102), if u_(M−1)≠0 and {tilde over (ω)}_(M−1)−ν_(M−1)=u_(M−1), it must be {tilde over (ω)}_(M−2)−ν_(M−2) =u _(M−2).  (105)

At the next iteration, the contributions to (98) are the following multiples of p^(2·M−4):

$\begin{matrix} \left\{ {\begin{matrix} {{2 \cdot \upsilon_{M - 3} \cdot \upsilon_{M - 1}} + \upsilon_{M - 2}^{2}} & {{from}\mspace{14mu}\left( {\overset{\sim}{A} - Y} \right)^{2}} \\ \begin{matrix} {{{- 2} \cdot {\overset{\sim}{\omega}}_{M - 3} \cdot \upsilon_{M - 1}} - {2 \cdot {\overset{\sim}{\omega}}_{M - 2} \cdot \upsilon_{M - 2}} -} \\ {2 \cdot {\overset{\sim}{\omega}}_{M - 1} \cdot \upsilon_{M - 3}} \end{matrix} & {{from}\mspace{14mu} - {2 \cdot \overset{\sim}{A} \cdot \left( {\overset{\sim}{A} - Y} \right)}} \\ {{2 \cdot {\overset{\sim}{\omega}}_{M - 3} \cdot {\overset{\sim}{\omega}}_{M - 1}} + {\overset{\sim}{\omega}}_{M - 2}^{2}} & {{{from}\mspace{14mu}{\overset{\sim}{A}}^{2}} - N} \\ {{{- 2} \cdot u_{M - 1} \cdot u_{M - 3}} - u_{M - 2}^{2}} & {{from}\mspace{14mu} - X^{2}} \end{matrix}.} \right. & (106) \end{matrix}$ Therefore, 2·({tilde over (ω)}_(M−1)−ν_(M−1))·({tilde over (ω)}_(M−3)−ν_(M−3))+({tilde over (ω)}_(M−2)−ν_(M−2))²=2·u _(M−1) ·u _(M−3) +u _(M−2) ².  (107) By (102) and (105), {tilde over (ω)}_(M−3)−ν_(M−3) =u _(M−3).  (108)

At every iteration the sequence produces a similar relationship between ν_(i) and u_(i). The sequence ends after it concludes that {tilde over (ω)}₂−ν₂ =u ₂.  (109) In general

$\begin{matrix} {{{\overset{\sim}{\omega}}_{i} - \upsilon_{i}} = {u_{i}.}} & (110) \end{matrix}$

These conclusions were reached without interference from (97), which contains multiples of p^(M) only. Indeed, the last equation in the sequence, the one which produced (109), is an equation which operates on multiples of p^(M+1) Refer to (94) and the illustration in FIG. 3.

Consider the representation of the pair (r, s) as in (77). Substitution of (110) into (77) yields

$\begin{matrix} \left\{ \begin{matrix} {r = {\overset{\sim}{A} + {u_{1} \cdot p} + {\left( {{2 \cdot u_{2}} - {\overset{\sim}{\omega}}_{2}} \right) \cdot p^{2}} + {\left( {{2 \cdot u_{3}} - {\overset{\sim}{\omega}}_{3}} \right) \cdot p^{3}} + \ldots +}} \\ {\left( {{2 \cdot u_{M - 1}} - {\overset{\sim}{\omega}}_{M - 1}} \right) \cdot p^{M - 1}} \\ {s = {\overset{\sim}{A} - {u_{1} \cdot p} - {{\overset{\sim}{\omega}}_{2} \cdot p^{2}} - {{\overset{\sim}{\omega}}_{3} \cdot p^{3}} - \ldots - {{\overset{\sim}{\omega}}_{M - 1} \cdot p^{M - 1}}}} \end{matrix} \right. & (111) \end{matrix}$ or

$\begin{matrix} \left\{ {\begin{matrix} {r = {\overset{\sim}{A} + {u_{1} \cdot p} + {\left( {{{- 2} \cdot \upsilon_{2}} + {\overset{\sim}{\omega}}_{2}} \right) \cdot p^{2}} + {\left( {{{- 2} \cdot \upsilon_{3}} + {\overset{\sim}{\omega}}_{3}} \right) \cdot}}} \\ {p^{3} + \ldots + {\left( {{{- 2} \cdot \upsilon_{M - 1}} + {\overset{\sim}{\omega}}_{M - 1}} \right) \cdot p^{M - 1}}} \\ {s = {\overset{\sim}{A} - {u_{1} \cdot p} - {{\overset{\sim}{\omega}}_{2} \cdot p^{2}} - {{\overset{\sim}{\omega}}_{3} \cdot p^{3}} - \ldots - {{\overset{\sim}{\omega}}_{M - 1} \cdot p^{M - 1}}}} \end{matrix}.} \right. & (112) \end{matrix}$ 3) The Case when {tilde over (ω)}_(M−1)−ν_(M−1)=−u_(M−1)

Consider (98) in the case when u_(M−1)>0 and {tilde over (ω)}_(M−1)−ν_(M−1)=−u_(M−1). In this case (104) yields {tilde over (ω)}_(M−2)−ν_(M−2) =−u _(M−2).  (113) Likewise, (107) yields {tilde over (ω)}_(M−3)−ν_(M−3) =−u _(M−3).  (114) and, in general, ω_(i)−ν_(i) =−u _(i).  (115) In this case, substitution of (115) into (77) yields

$\begin{matrix} \left\{ {\begin{matrix} {r = {\overset{\sim}{A} + {u_{1} \cdot p} - {{\overset{\sim}{\omega}}_{2} \cdot p^{2}} - {{\overset{\sim}{\omega}}_{3} \cdot p^{3}} - \ldots - {{\overset{\sim}{\omega}}_{M - 1} \cdot p^{M - 1}}}} \\ {s = {\overset{\sim}{A} - {u_{1} \cdot p} - {\left( {{2 \cdot u_{2}} + {\overset{\sim}{\omega}}_{2}} \right) \cdot p^{2}} - {\left( {{2 \cdot u_{3}} + {\overset{\sim}{\omega}}_{3}} \right) \cdot}}} \\ {p^{3} - \ldots - {\left( {{2 \cdot u_{M - 1}} + {\overset{\sim}{\omega}}_{M - 1}} \right) \cdot p^{M - 1}}} \end{matrix}.} \right. & (116) \end{matrix}$ or

$\begin{matrix} \left\{ {\begin{matrix} {r = {\overset{\sim}{A} + {u_{1} \cdot p} - {{\overset{\sim}{\omega}}_{2} \cdot p^{2}} - {{\overset{\sim}{\omega}}_{3} \cdot p^{3}} - \ldots - {{\overset{\sim}{\omega}}_{M - 1} \cdot p^{M - 1}}}} \\ {s = {\overset{\sim}{A} - {u_{1} \cdot p} + {\left( {{{- 2} \cdot \upsilon_{2}} + {\overset{\sim}{\omega}}_{2}} \right) \cdot p^{2}} + {\left( {{{- 2} \cdot \upsilon_{3}} + {\overset{\sim}{\omega}}_{3}} \right) \cdot}}} \\ {p^{3} + \ldots + {\left( {{{- 2} \cdot \upsilon_{M - 1}} + {\overset{\sim}{\omega}}_{M - 1}} \right) \cdot p^{M - 1}}} \end{matrix}.} \right. & (117) \end{matrix}$ NOTE 1: There are two sets of conditions which can assist in the solution of the factorization problem. The first set are the congruences (94). If u₁≢0 (mod p), for 2<i<M they establish linear relationships between ν_(i) and u_(i−1) modulo p^(M−1) when the variables ν_(j) and u_(j) of lesser degree are known. Refer to the example in (92). The second set are the equations (110) or (115). Substitution of (110) into (77) produced (111) and (112). Substitution of (115) into (77) produced (116) and (117). NOTE 2: Using (111) or (112) to compute (r+s)/2 and (r−s)/2 produce the same results as (77). The benefit of (111) and (112) lies in the fact that, when r is multiplied by s modulo p^(M), the product does not contain any power of p higher than p^(M). Also, except for u₁, with u₁≢0 (mod p), (112) and (111) are linear functions which contain only the set {ν_(i)} or {u_(i)}, respectively. Similar considerations apply to (116) and (117). 4) The Case when u_(M−1)=0 Consider the case when u_(M−1)=0. In this case, equation (102) becomes {tilde over (ω)}_(M−1)−ν_(M−1)=0.  (118) Therefore, no information can be produced using (104). However, (107) yields {tilde over (ω)}_(M−2)−ν_(M−2) =±u _(M−2).  (119) If u_(M−2)≠0, the process can be continued until it concludes that {tilde over (ω)}₃−ν₃ =u ₃.  (120) or {tilde over (ω)}₃−ν₃ =−u ₃.  (121) In fact, if u_(M−1)=0, u₃·p³ is the lowest degree element which, when multiplied by u_(M−2)·p^(M−2), produces a multiple of p^(M+1). Again, there is the possibility that u_(M−2) be zero. In this case (110) or (115) are applicable only when i equals or exceeds 4. The situation is it illustrated by Section VIII.7 and FIG. 4.

In general, assume that u₁≢0 modulo p and u_(M−j)=0 for 1≤j≤j₀. Then (110) is applicable only for i≥j₀+2. In these cases the general expression of the pair (r, s) is

$\begin{matrix} \left\{ {\begin{matrix} {r = {\overset{\sim}{A} + {u_{1} \cdot p} + {\sum\limits_{i = 2}^{j_{0} + 1}{\left( {{- \upsilon_{i}} + u_{i}} \right) \cdot p^{i}}} + {\sum\limits_{i = {j_{0} + 2}}^{M - j_{0} - 1}{\left( {{2 \cdot u_{i}} - {\overset{\sim}{\omega}}_{i}} \right) \cdot}}}} \\ {p^{i} - {\sum\limits_{i = {M - j_{0}}}^{M - 1}{{\overset{\sim}{\omega}}_{i} \cdot p^{i}}}} \\ {s = {\overset{\sim}{A} - {u_{1} \cdot p} + {\sum\limits_{i = 2}^{j_{0} + 1}{\left( {{- \upsilon_{i}} - u_{i}} \right) \cdot p^{i}}} - {\sum\limits_{i = {j_{0} + 2}}^{M - j_{0} - 1}{{\overset{\sim}{\omega}}_{i} \cdot p^{i}}} -}} \\ {\sum\limits_{i = {M - j_{0}}}^{M - 1}{{\overset{\sim}{\omega}}_{i} \cdot p^{i}}} \end{matrix}.} \right. & (122) \end{matrix}$ Compare with (111). Also, in this case, (112) becomes

$\begin{matrix} \left\{ {\begin{matrix} {r = {\overset{\sim}{A} + {u_{1} \cdot p} + {\sum\limits_{i = 2}^{j_{0} + 1}{\left( {{- \upsilon_{i}} + u_{i}} \right) \cdot p^{i}}} + {\sum\limits_{i = {j_{0} + 2}}^{M - j_{0} - 1}{\left( {{{- 2} \cdot \upsilon_{i}} + {\overset{\sim}{\omega}}_{i}} \right) \cdot}}}} \\ {p^{i} - {\sum\limits_{i = {M - j_{0}}}^{M - 1}{{\overset{\sim}{\omega}}_{i} \cdot p^{i}}}} \\ {s = {\overset{\sim}{A} - {u_{1} \cdot p} + {\sum\limits_{i = 2}^{j_{0} + 1}{\left( {{- \upsilon_{i}} - u_{i}} \right) \cdot p^{i}}} - {\sum\limits_{i = {j_{0} + 2}}^{M - j_{0} - 1}{{\overset{\sim}{\omega}}_{i} \cdot p^{i}}} -}} \\ {\sum\limits_{i = {M - j_{0}}}^{M - 1}{{\overset{\sim}{\omega}}_{i} \cdot p^{i}}} \end{matrix}.} \right. & (123) \end{matrix}$ Similarly, if (93) is used in lieu of (110), (116) is replaced by

$\begin{matrix} \left\{ \begin{matrix} {r = {\overset{\sim}{A} + {u_{1} \cdot p} + {\sum\limits_{i = 2}^{j_{0} + 1}{\left( {{- \upsilon_{i}} + u_{i}} \right) \cdot p^{i}}} - {\sum\limits_{i = {j_{0} + 2}}^{M - j_{0} - 1}{{\overset{\sim}{\omega}}_{i} \cdot p^{i}}} -}} \\ {\sum\limits_{i = {M - j_{0}}}^{M - 1}{{\overset{\sim}{\omega}}_{i} \cdot p^{i}}} \\ {s = {\overset{\sim}{A} - {u_{1} \cdot p} + {\sum\limits_{i = 2}^{j_{0} + 1}{\left( {{- \upsilon_{i}} - u_{i}} \right) \cdot p^{i}}} - {\sum\limits_{i = {j_{0} + 2}}^{M - j_{0} - 1}\left( {{2 \cdot u_{i}} + {\overset{\sim}{\omega}}_{i}} \right)} -}} \\ {\sum\limits_{i = {M - j_{0}}}^{M - 1}{{\overset{\sim}{\omega}}_{i} \cdot p^{i}}} \end{matrix} \right. & (124) \end{matrix}$ and (117) is replaced by

$\begin{matrix} \left\{ {\begin{matrix} {r = {\overset{\sim}{A} + {u_{1} \cdot p} + {\sum\limits_{i = 2}^{j_{0} + 1}{\left( {{- \upsilon_{i}} + u_{i}} \right) \cdot p^{i}}} - {\sum\limits_{i = {j_{0} + 2}}^{M - j_{0} - 1}{{\overset{\sim}{\omega}}_{i} \cdot p^{i}}} -}} \\ {\sum\limits_{i = {M - j_{0}}}^{M - 1}{{\overset{\sim}{\omega}}_{i} \cdot p^{i}}} \\ {s = {\overset{\sim}{A} - {u_{1} \cdot p} + {\sum\limits_{i = 2}^{j_{0} + 1}{\left( {{- \upsilon_{1}} - u_{i}} \right) \cdot p^{i}}} + {\sum\limits_{i = {j_{0} + 2}}^{M - j_{0} - 1}{\left( {{{- 2} \cdot \upsilon_{i}} + {\overset{\sim}{\omega}}_{i}} \right) \cdot}}}} \\ {p^{i} - {\sum\limits_{i = {M - j_{0}}}^{M - 1}{{\overset{\sim}{\omega}}_{i} \cdot p^{i}}}} \end{matrix}.} \right. & (125) \end{matrix}$

Notice that a priori there is no knowledge of whether u_(M−1) is or is not zero. The same is true for u_(M−2), etc. Therefore, at this point, j₀ is an undetermined integer.

NOTE 1: When using (124) and (122), the pair (r, s) is dependent on the set {u_(i)} and on the first elements of {ν_(i)}, for 2≤i≤j₀+1. In such cases, the general expression of (r, s) is

$\begin{matrix} \left\{ {\begin{matrix} {r = {{\overset{\sim}{\omega}}_{0} + {{\overset{\sim}{\omega}}_{1} \cdot p} + {{\overset{\sim}{u}}_{1} \cdot p} + {\sum\limits_{i = 2}^{j_{0}}{{\overset{\sim}{z}}_{i} \cdot p^{i}}} + {z_{j_{0} + 1} \cdot p^{j_{0} + 1}}}} \\ {s = {{\overset{\sim}{\omega}}_{0} + {{\overset{\sim}{\omega}}_{1} \cdot p} - {{\overset{\sim}{u}}_{1} \cdot p} + {\sum\limits_{i = 2}^{j_{0}}{{\overset{\sim}{z}}_{i} \cdot p^{i}}} + {z_{j_{0} + 1}p^{j_{0} + 1}} - {2 \cdot}}} \\ {{\sum\limits_{i = 2}^{j_{0}}{{\overset{\sim}{u}}_{i} \cdot p^{i}}} - {2 \cdot {\sum\limits_{i = {j_{0} + 1}}^{M - j_{0} - 1}{u_{i} \cdot p^{i}}}}} \end{matrix},} \right. & (126) \end{matrix}$ where z _(k)={tilde over (ω)}_(k)−ν_(k) u _(k)  (127) or

$\begin{matrix} \left\{ {\begin{matrix} {r = {{\overset{\sim}{\omega}}_{0} + {{\overset{\sim}{\omega}}_{1} \cdot p} + {{\overset{\sim}{u}}_{1} \cdot p} + {\sum\limits_{i = 2}^{j_{0}}{{\overset{\sim}{\zeta}}_{i} \cdot p^{i}}} + {\zeta_{j_{0} + 1} \cdot p^{j_{0} + 1}} + {2 \cdot}}} \\ {{\sum\limits_{i = 2}^{j_{0}}{{\overset{\sim}{u}}_{i} \cdot p^{i}}} + {2 \cdot {\sum\limits_{i = {j_{0} + 1}}^{M - j_{0} - 1}{u_{i} \cdot p^{i}}}}} \\ {s = {{\overset{\sim}{\omega}}_{0} + {{\overset{\sim}{\omega}}_{1} \cdot p} + {{\overset{\sim}{u}}_{1} \cdot p} + {\sum\limits_{i = 2}^{j_{0}}{{\overset{\sim}{\zeta}}_{i} \cdot p^{i}}} + {\zeta_{j_{0} + 1} \cdot p^{j_{0} + 1}}}} \end{matrix}.} \right. & (128) \end{matrix}$ where ζ_(k)={tilde over (ω)}_(k)ν_(k) u _(k).  (129) X. THE PROCESS 1) The Case when u_(M−1)≠0 (j₀=0) 1.1) Overview

Consider the case when u_(M−1)≠0. In this case (111) becomes

$\begin{matrix} \left\{ {\begin{matrix} {r = {{\overset{\sim}{\omega}}_{0} + {\left( {{\overset{\sim}{\omega}}_{1} + u_{1}} \right) \cdot p} + {2 \cdot {\sum\limits_{i = 2}^{M - 1}{u_{i} \cdot p^{i}}}}}} \\ {s = {{\overset{\sim}{\omega}}_{0} + {\left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot p}}} \end{matrix}.} \right. & (130) \end{matrix}$ If

$\begin{matrix} \left\{ {\begin{matrix} {u_{1} ≢ {0\left( {{mod}\mspace{14mu} p} \right)}} \\ {{{\overset{\sim}{\omega}}_{1} \pm u_{1}} ≢ \left( {{mod}\mspace{14mu} p} \right)} \end{matrix},} \right. & (131) \end{matrix}$ multiplication of r by s modulo p^(M) yields:

$\begin{matrix} \left\{ {\begin{matrix} {v_{0} \equiv {{\overset{\sim}{\omega}}_{0}^{2}\left( {{mod}\mspace{14mu} p^{M}} \right)}} \\ {v_{1} \equiv {2 \cdot {\overset{\sim}{\omega}}_{0} \cdot {{\overset{\sim}{\omega}}_{1}\left( {{mod}\mspace{14mu} p^{M - 1}} \right)}}} \\ {v_{2} = {{{\overset{\sim}{\omega}}_{0} \cdot 2 \cdot u_{2}} - u_{1}^{2} + {\overset{\sim}{\omega}}_{1}^{2} + \left( {{mod}\mspace{14mu} p^{M - 2}} \right)}} \\ {v_{3} \equiv {{{\overset{\sim}{\omega}}_{0} \cdot 2 \cdot u_{3}} + {\left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot 2 \cdot {u_{2}\left( {{mod}\mspace{14mu} p^{M - 3}} \right)}}}} \\ \ldots \\ {v_{n - 2} \equiv {{{\overset{\sim}{\omega}}_{0} \cdot 2 \cdot u_{M - 2}} + {\left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot 2 \cdot {u_{M - 3}\left( {{mod}\mspace{14mu} p^{2}} \right)}}}} \\ {v_{n - 1} = {{{\overset{\sim}{\omega}}_{0} \cdot 2 \cdot u_{M - 1}} + {\left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot 2 \cdot {u_{M - 2}\left( {{mod}\mspace{14mu} p} \right)}}}} \end{matrix}.} \right. & (132) \end{matrix}$

Let RH (132)_(i) and LH (132)_(i) denote the RHS and the LHS, respectively, of that congruence in (132) which is defined modulo p^(M−i). Then, it must be RH (132)_(i) −LH (132)_(i)≡0 (mod p ^(M−i)).  (133) Define

$\begin{matrix} {{C(132)}_{i} = {\frac{{{RH}(132)}_{i} - {{LH}(132)}_{i}}{p^{M - 1}}.}} & (134) \end{matrix}$

There is one condition which is not contained in (132): that is the condition that the sum of all the multiples of p^(M) in the system be equal to zero. Specifically, refer to (130). If u_(M−1)≠0, the highest power of p is produced when ({tilde over (ω)}₁−u₁)·p is multiplied by 2·u_(M−1)·p^(M−1). There are other multiples of p^(M) in the system, specifically Q·p^(M), {tilde over (η)}₀·p^(M) and {tilde over (η)}₁·p^(M) and the integers C(133)_(i)·p^(M) for i≥2. (Refer to (87) and (91)). Equating to zero the sum of all the coefficients of p^(M), it must be

$\begin{matrix} {0 = {Q + {\overset{\sim}{\eta}}_{0} + {\overset{\sim}{\eta}}_{1} + {\sum\limits_{i = 2}^{M - 1}{C(132)}_{i}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot {u_{M - 1}.}}}} & (135) \end{matrix}$ 1.2) Tidbits NOTE 1: Refer to (77). By (7), X<N. The magnitude of the integer Xis not dependent on the representation of N. If Nand Xwere represented in base p, and Xwere to approximate closely N, it would be 0<u_(M−1)<p and one of the two factors of N would approximate closely 1. NOTE 2: In general, the integers N₀ are pre-screened to test divisibility by the first elements of the sequence of primes. Thus, it is reasonable to assume that in all cases u_(M−1)=0. Recall that the representation of U as in (73), where {u_(i)} are p^(M−i)—constrained positive integers, offers many degrees of freedom and no practical limitation on the magnitude of Uresults when u_(M−1) is set equal to zero. In fact, any integer U can be represented by a multitude of selections of the set {u_(i)}. NOTE 3: There is a peculiar situation when the pair (r, s) can be described as in (130). Consider the case when ν₀ is a perfect square, say ν₀=Ã₀ ²<p. In these cases {tilde over (ω)}₀ is a small integer and {tilde over (ω)}₀=Ã₀. Then the second of (130) yields

$\begin{matrix} {\frac{s - {\overset{\sim}{A}}_{0}}{p} = {{\overset{\sim}{\omega}}_{1} - {u_{1}.}}} & (136) \end{matrix}$ Some cases were observed when ν₀=Ã₀ ²<p, s was two digits long in base p and u_(M−1) was nonzero. NOTE 4: In this presentation it will be assumed that {tilde over (ω)}₀ ²>p². 2) The Case when j₀=1 (u_(M−1)=0 and u_(M−2)≠0) 2.1) Overview

Consider the case when it has been assumed that u_(M−1)=0. It is desired to determine a pair of divisors (r, s) when u_(M−2)≠0, if such a pair exists. In this case (126) and (128) can be written as follows:

$\begin{matrix} \left\{ \begin{matrix} {u_{M - 2} \neq 0} \\ {u_{M - 1} = 0} \\ {r = {{\overset{\sim}{A}}_{2} + {u_{1} \cdot p} + {\left( {{- \upsilon_{2}} + u_{2}} \right) \cdot p^{2}}}} \\ {s = {{\overset{\sim}{A}}_{2} - {u_{1} \cdot p} + {\left( {{- \upsilon_{2}} + u_{2}} \right) \cdot p^{2}} - {2 \cdot {\sum\limits_{i = 3}^{M - 2}{u_{i} \cdot p^{i}}}}}} \end{matrix} \right. & (137) \end{matrix}$ where Ã ₂={tilde over (ω)}₀+{tilde over (ω)}₁ ·p+{tilde over (ω)} ₂ p ²  (138) and

$\begin{matrix} \left\{ {\begin{matrix} {u_{M - 2} \neq 0} \\ {u_{M - 1} = 0} \\ {r = {{\overset{\sim}{A}}_{1} + {u_{1} \cdot p} + {\zeta_{2} \cdot p^{2}} + {2 \cdot {\sum\limits_{i = 2}^{M - 2}{u_{i} \cdot p^{i}}}}}} \\ {s = {{\overset{\sim}{A}}_{1} - {u_{1} \cdot p} + {\zeta_{2} \cdot p^{2}}}} \end{matrix},} \right. & (139) \end{matrix}$ where Ã ₁={tilde over (ω)}₀+{tilde over (ω)}₁ ·p  (140) and where ζ₂ is defined as in (129):

$\begin{matrix} \left\{ {\begin{matrix} {u_{M - 1} = 0} \\ {u_{M - 2} \neq 0} \\ {\zeta_{2} = {\omega_{2} - \upsilon_{2} - u_{2}}} \end{matrix}.} \right. & (141) \end{matrix}$ Compare with (128) and (129).

Using (139), multiply r by s modulo p^(M). Setting the sum of the coefficients of any given power of p congruent to zero (mod p^(M−i)) yields

$\begin{matrix} \left\{ {\begin{matrix} {u_{M - 2} \neq 0} \\ {v_{0} \equiv {{\overset{\sim}{\omega}}_{0}^{2}\left( {{mod}\mspace{14mu} p^{M}} \right)}} \\ {v_{1} \equiv {2 \cdot {\overset{\sim}{\omega}}_{0} \cdot {{\overset{\sim}{\omega}}_{1}\left( {{mod}\mspace{14mu} p^{M - 1}} \right)}}} \\ {v_{2} \equiv {{- u_{1}^{2}} + {\overset{\sim}{\omega}}_{1}^{2} + {2 \cdot {\overset{\sim}{\omega}}_{0} \cdot \zeta_{2}} + {2 \cdot {\overset{\sim}{\omega}}_{0} \cdot {u_{2}\left( {{mod}\mspace{14mu} p^{M - 2}} \right)}}}} \\ {v_{3} \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{3}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot u_{2}} + {2 \cdot {\overset{\sim}{\omega}}_{1} \cdot {\zeta_{2}\left( {{mod}\mspace{14mu} p^{M - 3}} \right)}}}} \\ {v_{4} \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{4}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot u_{3}} + {2 \cdot \zeta_{2} \cdot u_{2}} + {\zeta_{2}^{2}\left( {{mod}\mspace{14mu} p^{M - 4}} \right)}}} \\ {{{for}\mspace{14mu} i} > 4} \\ {v_{i} \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{i}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot u_{i - 1}} + {2 \cdot \zeta_{2} \cdot {u_{i - 2}\left( {{mod}\mspace{14mu} p^{M - i}} \right)}}}} \\ \ldots \\ {v_{M - 2} \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{M - 2}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot u_{M - 3}} + {2 \cdot \zeta_{2} \cdot {u_{M - 4}\left( {{mod}\mspace{14mu} p^{2}} \right)}}}} \\ {v_{M - 1} \equiv {{2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot u_{M - 2}} + {2 \cdot \zeta_{2} \cdot {u_{M - 3}\left( {{mod}\mspace{14mu} p^{2}} \right)}}}} \end{matrix}.} \right. & (142) \end{matrix}$

Let RH (142)_(i) and LH (142)_(i) denote the RHS and the LHS, respectively, of that congruence in (142) which is defined modulo p^(M−i). Then, it must be RH (142)_(i) −LH (142)_(i)≡0 (mod p ^(M−i)).  (143) Define

$\begin{matrix} {{C(142)}_{i} = {\frac{{{RH}(142)}_{i} - {{LH}(142)}_{i}}{p^{M - i}}.}} & (144) \end{matrix}$

There is one condition which is not contained in (142): that is the condition that the sum of all the multiples of p^(M) in the system be equal to zero. Specifically, refer to (139). If u_(M−2)≠0, the highest power of p is produced when ζ₂·p² is multiplied by 2·u_(M−2)·p^(M−2). The other multiples of p^(M) in the system are Q·p^(M), {tilde over (η)}₀·p^(M), {tilde over (η)}₁·p^(M) and the integers C(142)_(i)·p^(M). Then, equating to zero the sum of the coefficients of p^(M), it must be

$\begin{matrix} {0 = {Q + {\overset{\sim}{\eta}}_{0} + {\overset{\sim}{\eta}}_{1} + {\sum\limits_{i = 2}^{M - 1}{C(142)}_{i}} + {2 \cdot \zeta_{2} \cdot {u_{M - 2}.}}}} & (145) \end{matrix}$ Refer to (88) and (91). In this equation the integer u_(M−2) is defined modulo p² by the second last congruence of (142).

Also, in the computation of C(142)_(M−1), the integers u_(M−2) and u_(M−3) equal the corresponding values in the second last congruence of (142).

The set of congruences (142) can be referred to as a SUPERCONGRUENCE.

2.2) Tidbits

1) Subject to the condition (131), if (142) and (145) do not admit integer solutions, there does not exist an integer r which can be described as in (142) and such that r|N.

2) The system (142) consists of M congruences. Given the selection of an integer u₁<p, the third congruence of (142) defines a corresponding value of ν₂ modulo p^(M−2).

3) The selection of an integer u₂<p defines ζ₂=ω₂−ν₂ −u ₂.  (146) Refer to (141). 4) The solution of the fourth congruence of (142) produces a corresponding u₃. 5) The last congruence of (142) verifies the compatibility between ũ_(M−2) and ν_(M−1) and causes a paring down of the roster of candidate pairs (u₁, u₂). 6) If the system (142) produces a candidate pair (u₁, u₂), the viability of that pair should be tested using (145). Of course, (145) can be satisfied only if

$\begin{matrix} {0 \equiv {Q_{0} + {\overset{\sim}{\eta}}_{0} + {\overset{\sim}{\eta}}_{1} + {\sum\limits_{i = 2}^{M - 1}{C(142)}_{i}} + {2 \cdot \zeta_{2} \cdot {{u_{M - 2}\left( {{mod}\mspace{14mu} p} \right)}.}}}} & (147) \end{matrix}$ Refer to (87). NOTE 1: To expedite the execution of (142), observe that each one of the higher degree congruences of (142) must hold true if they were reduced modulo p². Therefore, (142) could be reduced as follows:

$\begin{matrix} \left\{ {\begin{matrix} {u_{M - 2} \neq 0} \\ {u_{M - 1} = 0} \\ {v_{0} \equiv {{\overset{\sim}{\omega}}_{0}^{2}\left( {{mod}\mspace{14mu} p^{2}} \right)}} \\ {v_{1} \equiv {2 \cdot {\overset{\sim}{\omega}}_{0} \cdot {{\overset{\sim}{\omega}}_{1}\left( {{mod}\mspace{14mu} p^{2}} \right)}}} \\ {v_{2} \equiv {{- u_{1}^{2}} + {\overset{\sim}{\omega}}_{1}^{2} + {2 \cdot {\overset{\sim}{\omega}}_{0} \cdot \zeta_{2}} + {2 \cdot {\overset{\sim}{\omega}}_{0} \cdot {u_{2}\left( {{mod}\mspace{14mu} p^{2}} \right)}}}} \\ {v_{3} \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{3}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot u_{2}} + {2 \cdot {\overset{\sim}{\omega}}_{1} \cdot {\zeta_{2}\left( {{mod}\mspace{14mu} p^{2}} \right)}}}} \\ {v_{4} \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{4}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot u_{3}} + {2 \cdot \zeta_{2} \cdot u_{2}} + {\zeta_{2}^{2}\left( {{mod}\mspace{14mu} p^{2}} \right)}}} \\ {{{for}\mspace{14mu} i} > 4} \\ {v_{i} \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{t}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot u_{i - 1}} + {2 \cdot \zeta_{2} \cdot {u_{i - 2}\left( {{mod}\mspace{14mu} p^{2}} \right)}}}} \\ \ldots \\ {v_{M - 2} \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{M - 2}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot u_{M - 3}} + {2 \cdot \zeta_{2} \cdot {u_{M - 4}\left( {{mod}\mspace{14mu} p^{2}} \right)}}}} \\ {v_{M - 1} \equiv {{2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot u_{M - 2}} + {2 \cdot \zeta_{2} \cdot {u_{M - 3}\left( {{mod}\mspace{14mu} p^{2}} \right)}}}} \end{matrix}.} \right. & (148) \end{matrix}$

In (148) each congruence produces a carry which must be added to C(142)_(M−1). For i<M−1 the carries produced by the congruences (148) are

$\begin{matrix} {{C(148)}_{i} = {\frac{{{RH}(148)}_{i} - {{LH}(148)}_{i}}{p^{2}}.}} & (149) \end{matrix}$

The total of these carries must satisfy the following:

$\begin{matrix} {0 \equiv {Q_{0} + {\overset{\sim}{\eta}}_{0} + {\overset{\sim}{\eta}}_{1} + {\sum\limits_{i = 2}^{M - 2}{C(148)}_{i}} + {C(142)}_{M - 1} + {2 \cdot \zeta_{2} \cdot {{{\overset{\sim}{u}}_{M - 2}\left( {{mod}\mspace{14mu} p} \right)}.}}}} & (150) \end{matrix}$

Notice that the magnitude of M does not burden the execution time of any of the congruences of (148). However, it determines the NUMBER of such congruences and the time required to execute the addition of M two digit numbers (which are represented in base p).

2.3) A Test

Consider the case when the true divisors of N₀, say {tilde over (r)}₀ and {tilde over (s)}₀, are known. Then, after the computation of {tilde over (T)}₀,N_(T) ₀ and the definition of M, the system (142) can be set into place.

If the true solution pair ({tilde over (r)}₀, {tilde over (s)}₀) were known, it would be {tilde over (s)} ₀≡{tilde over (ω)}₀+({tilde over (ω)}₁ −ũ _(1,1))·p+({tilde over (ω)}₂−{tilde over (ν)}₂ ũ _(2,1))·p ²(mod p ³),  (151) and the pair (ũ_(1,1),ũ_(2,1)) would be an element of the set of pairs which satisfy (142). (Table I).

In general, such is not the case.

The contradiction can be explained by observing that, given N₀, the set of feasible pairs represented in Table I is dependent on the prior definition of M. Should M be replaced by some M₁=M+2·m₁ (m₁ integer>0) , the set of feasible pairs in Table I would be different.

Since {tilde over (s)}₀ is not known, the situation can be addressed by exploring independently all the possible definitions of (148), each one associated with a distinct value of M.

TABLE I PART 1 Example of Feasible (u_(1,1), u_(2,1)) Pairs Statement of the Problem N₀ = 100301961039186938810056007 = 165636239140553 · 605555653519 p = 29 r₀ = 15 + 8 · p + 23 · p² + 3 · p³ + 20 · p⁴ + 26 · p⁵ + 4 · p⁶ + 3 · p⁷ + 12 · p⁸ + 11 · p⁹ s₀ = 20 +5 · p + 2 · p² + 2 · p³ + 7 · p⁴ + 1 · p⁵ + 3 · p⁶ + 6 · p⁷ + 1 · p⁸ α = 15 p ^(n) ⁰ ⁻¹ < N₀ < p ^(n) ⁰ n₀ = 18 T₀ = 223062825066445118121878597 T₀ · α ≡ 20 (mod p N_(T) ₀ = T₀ · N₀ = 22373638789105549923178072390737492094618301624582179 n_(T) ₀ = 36

  < N_(T) ₀ <  

M = 4097 M − 1 > 2 · n_(T) ₀ − 2 ω₀ ≈ 4.78 × 10⁷⁴⁸ ω₁ ≈ 3.765 × 10⁷⁴⁸ A ≈ 4.11 × 10⁷⁵² PART 2 Feasible (u_(1,1), u_(2,1)) Pairs u_(1,1) u_(2,1)  1  1  3 20  3 27  3 28  4  1  5 15  5 22  6  1  6  7  6 28  7 14  8 14 10 28 11 25 12  2 12  9 13 19 15  3 15  4 15 26 16 10 17 20 18  5 19  5 19 15 19 17 19 25 22 10 23 20 23 23 23 26 24  9 25 28 27  3 27 25 Solutions of (150) u_(1,1) u_(2,1)  7 14 Correct Solution u_(1,1) u_(2,1)  3 20 2.4) The Periodic Components of (148)

Consider the case when M has been defined using (78). In this case the system (142) consists of M congruences. The LHS of the last n−1 congruences is congruent to zero modulo p^(M−i). Thus, if n−1<i<M−1, it is 0≡=2·{tilde over (ω)}₀ ·u _(i)+2·({tilde over (ω)}₁ −u _(i))·u _(i−1)+2·ζ₂ ·u _(i−2)(mod p ²).  (152)

Notice that the coefficients {tilde over (ω)}₀, {tilde over (ω)}₁−u₁, and ζ₂, after reduction modulo p², do not depend on i, but depend on the selection of the pair (u₁, u₂).

Thus, the system (142) contains a sequence of components which are related to one another as follows:

$\begin{matrix} \left\{ \begin{matrix} \ldots \\ {0 \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{i}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot u_{i - 1}} + {2 \cdot \zeta_{2} \cdot {u_{i - 2}\left( {{mod}\mspace{14mu} p^{2}} \right)}}}} \\ {0 \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{i + 1}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot u_{i}} + {2 \cdot \zeta_{2} \cdot {u_{i - 1}\left( {{mod}\mspace{14mu} p^{2}} \right)}}}} \\ {0 \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{i + 2}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot u_{i + 1}} + {2 \cdot \zeta_{2} \cdot {u_{i}\left( {{mod}\mspace{14mu} p^{2}} \right)}}}} \\ {0 \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{i + 3}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot u_{i + 2}} + {2 \cdot \zeta_{2} \cdot {u_{i + 1}\left( {{mod}\mspace{14mu} p^{2}} \right)}}}} \\ \ldots \end{matrix} \right. & (153) \end{matrix}$

To clarify the role of the integer p−1, assume that (142) is satisfied. Then, if ω₁−u₁≢0 (mod p), and ζ₂≢0(mod p) (131), it will be 0≡ζ₂ ⁻¹·(ω₁ −u ₁)·u _(M−2) +u _(M−3)(mod p),  (154) and 0≡ζ₂ ⁻¹·ω₀ ·u _(M−2)+ζ₂ ⁻¹·(ω₁ −u ₁)·u _(M−3) +u _(M−4)(mod p),  (155) whence 0≡(ζ₂ ⁻¹·ω₀−ζ₂ ⁻²(ω₁ −u ₁)²)·u _(M−2) +u _(M−4)(mod p).  (156) In a similar fashion, 0≡ζ₂ ⁻¹·ω₀ ·u _(M−3)+ζ₂ ⁻¹·(ω₁ −u ₁)·u _(M−4) +u _(M−5)(mod p) ≡−ζ₂ ⁻²·ω₀·(ω₁ −u ₁)·u _(M−2)−ζ₂ ⁻²·ω₀·(ω₁ −u ₁)·u _(M−2) −ζ₂ ⁻³·(ω₁ −u ₁)³ ·u _(M−2) +u _(M−5)(mod p) ≡[−2·ζ₂ ⁻²·ω₀·(ω₁ −u ₁)+ζ₂ ⁻³·(ω₁ −u ₁)³ ]·u _(M−2) +u _(M−5)(mod p).  (157)

Similar relationships can be developed to relate u_(M−i) to u_(M−2) modulo p. Such relationships contain two terms. As i increases, both terms display a periodicity of p−1, or its divisors.

Thus, given a selection of the pair (u₁, u₂), the specific embodiment of (142) for a given M can be related to a corresponding embodiment for M′=M+k·(p−1) for some integer k. Recall that, if M is increased by p−1, the number of congruences in (142) is increased by p−1.

2.5) A New Definition of M

The variability of M can be reduced by observing (24) and (41). Consider a process which evolves (24) into (41). Assume it can be iterated into higher powers of p until the resulting product r·s₀ exceeds the corresponding N. The process could end at that point and would offer a conclusion on the viability of {tilde over (α)}, Ũ_(1,1) and the subsequent sets of (U_(i), V_(2·i)) variables.

Notice that in (32), after multiplication of r by s₀, the highest power of p in the system is p⁴. In (37) it is p⁸. In the subsequent iterations it would be p² ^(k) for k≥2. Thus, it is reasonable to select M=2^(h)+1, for h>0  (158) or

$\begin{matrix} \left\{ {\begin{matrix} {{{M - 1} = 2^{h}},{{{for}\mspace{14mu} h} > 0}} \\ {2^{h} > {n - 1}} \end{matrix}.} \right. & (159) \end{matrix}$ Compare with (78). 2.6) Privileged sets of exponents M

Consider the case when an integer k·(p−1) is added to M. It is desired that the pairs (u₁, u₂) be proven still viable when Mis replaced by M₁=M+k·(p−1). This condition can be satisfied if both M₁ and M satisfy (159).

In this case, 2^(h) +k·4·ODD=2^(j)  (160) or 1+k′′ODD=2^(j−h) where k=2^(h−2) ·k′.  (161)

If p=29=4·7+1, the condition is satisfied when k′=1 and j−h=2³.

For the example of Table I, Table II shows the feasible (u₁, u₂) pairs for a sequence of values of M which satisfy (159).

Table III discards the (u₁, u₂) pairs which are not confirmed when M−1 is multiplied by p³.

Table IV shows an example of confirmed pair when p=61.

Table V shows the values of k′ and p^(j−h) for a set of primes of the form p=4·ODD+1.

TABLE II Feasible (u_(1,1,) u_(2,1)) Pairs for the Example of TABLE I with Increments of M by 2³ M (u_(1,1,) u_(2,1)) PART 1 65 (1, 1), (1, 28), (3, 5), (3, 20), (3, 28), (5, 15), (5, 23), (6, 1), (6, 7), (6, 28), (7, 14), (7, 15), (8, 14), (10, 15), (10, 28), (12, 9), (15, 4), (16, 21), (16, 23), (17, 20), (18, 5), (18, 19), (18, 23), (19, 0), (19, 4), (19, 5), (19, 8), (19, 17), (19, 25), (20, 0), (20, 3), (23, 14), (23, 20), (23, 23), (25, 28), (26, 17), (27, 3), (27, 25), (28, 1) 129 (1, 0), (1, 23), (4, 19), (5, 3), (6, 9), (6, 11), (6, 16), (9, 3), (10, 17), (11, 18), (12, 7), (12, 15), (13, 16), (14, 23), (15, 0), (15, 4), (15, 25), (16, 4), (19, 26), (20, 1), (21, 8), (23, 1), (23, 22), (23, 28), (24, 1), (25, 7), (26, 23) 257 (2, 26), (4, 20), (5, 8), (5, 20), (6, 3), (6, 9), (7, 19), (10, 14), (12, 26), (13, 19), (13, 26), (14, 3), (14, 26), (15, 6), (16, 10), (17, 27), (18, 4), (20, 22), (21, 2), (21, 26), (23, 1), (23, 22), (23, 28), (24, 7), (24, 14), (26, 2) 513 (1, 1), (3, 20), (3, 28), (6, 1), (6, 7), (6, 28), (7, 14), (8, 14), (10, 28), (12, 9), (14, 4), (15, 4), (15, 27), (16, 13), (17, 20), (17, 22), (18, 5), (18, 14), (19, 5), (19, 17), (19, 25), (20, 15), (23, 13), (23, 20), (23, 23), (24, 23), (25, 11), (25, 28), (26, 20), (26, 27), (27, 25) (1, 23), (1, 28), (2, 11), (2, 26), (5, 3), (6, 5), (6, 9), (6, 11), (6, 15), (9, 0), 1025 (9, 3), (9, 26), (10, 0), (10, 17), (10, 21), (10, 25), (11, 6), (11, 10), (13, 6), (13, 8), (14, 0), (14, 23), (15, 4), (16, 4), (20, 1), (23, 1), (23, 22), (23, 28), (24, 1), (24, 6), (24, 14), (26, 23), (26, 24), (28, 1), (28, 27) PART 2 65 (1, 1), (1, 28), (3, 5), (3, 20), (3, 28), (5, 15), (5, 23), (6, 1), (6, 7), (6, 28), (7, 14), (7, 15), (8, 14), (10, 15), (10, 28), (12, 9), (15, 4), (16, 21), (16, 23), (17, 20), (18, 5), (18, 19), (18, 23), (19, 0), (19, 4), (19, 5), (19, 8), (19, 17), (19, 25), (20, 0), (20, 3), (23, 14), (23, 20), (23, 23), (25, 28), (26, 17), (27, 3), (27, 25), (28, 1) 129 (1, 0), (1, 23), (4, 19), (5, 3), (6, 9), (6, 11), (6, 16), (9, 3), (10, 17), (11, 18), (12, 7), (12, 15), (13, 16), (14, 23), (15, 0), (15, 4), (15, 25), (16, 4), (19, 26), (20, 1), (21, 8), (23, 1), (23, 22), (23, 28), (24, 1), (25, 7), (26, 23) 257 (2, 26), (4, 20), (5, 8), (5, 20), (6, 3), (6, 9), (7, 19), (10, 14), (12, 26), (13, 19), (13, 26), (14, 3), (14, 26), (15, 6), (16, 10), (17, 27), (18, 4), (20, 22), (21, 2), (21, 26), (23, 1), (23, 22), (23, 28), (24, 7), (24, 14), (26, 2) 513 (1, 1), (3, 20), (3, 28), (6, 1), (6, 7), (6, 28), (7, 14), (8, 14), (10, 28), (12, 9), (14, 4), (15, 4), (15, 27), (16, 13), (17, 20), (17, 22), (18, 5), (18, 14), (19, 5), (19, 17), (19, 25), (20, 15), (23, 13), (23, 20), (23, 23), (24, 23), (25, 11), (25, 28), (26, 20), (26, 27), (27, 25) 1025 (1, 23), (1, 28), (2, 11), (2, 26), (5, 3), (6, 5), (6, 9), (6, 11), (6, 15), (9, 0), (9, 3), (9, 26), (10, 0), (10, 17), (10, 21), (10, 25), (11, 6), (11, 10), (13, 6), (13, 8), (14, 0), (14, 23), (15, 4), (16, 4), (20, 1), (23, 1), (23, 22), (23, 28), (24, 1), (24, 6), (24, 14), (26, 23), (26, 24), (28, 1), (28, 27)

TABLE III Example of Confirmed (u_(1,1), u_(2,1)) Pairs in Table II M (u_(1,1), u_(2,1)) 65, (1, 1), (3, 20), (3, 28), (6, 1), (6, 7), (6, 28), (7, 14), (8, 14), (10, 28), 513, (12, 9), (15, 4), (17, 20), (18, 5), (19, 5), (19, 17), (19, 25), (23, 20), (23, 23), 4097, (25, 28), (27, 25) 32769 129, (1, 23), (5, 3), (6, 9), (6, 11), (9, 3), (10, 17), (14, 23), (15, 4), (16, 4), (20, 1), 1025, (23, 1), (23, 22), (23, 28), (24, 1), (26, 23) 8193 257, (4, 20), (5, 8), (6, 9), (12, 26), (13, 26), (15, 6), (20, 22), (21, 2), (21, 26), 2049, (23, 1), (23, 22), (23, 28) 16385

TABLE IV Example of Confirmed (u_(1,1), u_(2,1)) Pairs with Increment of M by 2⁴ for p = 61 N₀ = 1003019631558929713685288333 = 165636239140789 · 605555666297 p = 29 r₀ = 54 + 22 · p + 32 · p² + 34 · p³ + 55 · p⁴ + 58 · p⁵ + 42 · p⁶ + 52 · p⁷ s₀ = 27 + 57 · p + 24 · p² + 34 · p³ + 59 · p⁴ + 45 · p⁵ + 11 · p⁶ α = 54 p ^(n) ⁰ ⁻¹ < N₀ < p ^(n) ⁰ n₀ = 15 T₀ = 351071793171532742034651427 T₀ · α ≡ 27 (mod p) N_(T) ₀ = T₀ · N₀ = 35213190063742146757748863016054424768295755644901191

  < N_(T) ₀ < 

n_(T) ₀ = 30 M − 1 > 2 · n_(T) ₀ M = 4097 M List of Confirmed (u_(1,1), u_(2,1)) 65, (2, 20), (4, 52), (6, 15), (8, 3), (11, 9), (12, 24), (12, 53), (12, 56), 1025 (15, 60), (20, 34), (22, 45), (22, 60), (24, 24), (24, 46), (24, 49), (29, 54), (30, 58), (32, 9), (32, 38), (33, 35), (35, 32), (43, 26), (43, 43), (44, 53), (47, 13), (50, 48), (52, 2), (54, 34), (54, 47), (55, 42), (57, 35), (58, 41) 129, no (u_(1,1), u_(2,1)) confirmed pairs 2049 257, (2, 25), (3, 49), (4, 26), (9, 5), (10, 56), (12 7), (14, 44), (16, 28), 4097 (18, 23), (19, 34), (24, 36), (25, 14), (28, 26), (29, 52), (30, 54), (31, 2), (31, 52), (32, 1), (33, 4), (36, 18), (37, 12), (41, 27), (44, 1), (46, 9), (48, 0), (49, 5), (49, 8), (49, 37), (50, 52), (53, 1), (55, 39) 513, (18, 55), (37, 39) 8193 Correct Solution u_(1,1) u_(2,1) 20 34

TABLE V Examples of Privileged Sets of Exponents p (p − 1)/4 k′ 2^(j-h) 13 3 1 2²  29 7 1 2³  37 9 7 2⁶  53 13 315 2¹² 61 15 1 2⁴  101 25 41, 943 2²⁰

NOTE 1: The periodicity of (148) is dependent on the periodicity of the two coefficients of u_(M−2) in (157). If both coefficients have periodicity p−1, the resulting periodicity of (148) and M are illustrated by Table V.

However, in general, each one of the two coefficients of u_(M−2) may have its own periodicity, which equals any one of the divisors of p−1.

Table VI shows a case when p=29 and the integer 2^(j−h) of Table V is replaced by 2⁴.

2.7) The Determination of U_(1,2)

The system (142) has been developed without placing any condition on the magnitude of u₁, u₂, and the subsequent u_(i)'s. It is useful to explore the case when u₁ and u₂ are defined as follows:

TABLE VI Example of a Different Periodicity of M for p = 29 N₀ = 100301962714574772614226437 = 165636239140789 · 605555663633 p = 29 r₀ = 19 + 16 · p + 23 · p² + 3 · p³ + 20 · p⁴ + 26 · p⁵ + 4 · p⁶ + 3 · p⁷ + 12 · p⁸ + 11 · p⁹ s₀ = 13 + 6 · p + 14 · p² + 2 · p³ + 7 · p⁴ + 1 · p⁵ + 3 · p⁶ + 6 · p⁷ + 1 · p⁸ α = 19 p ^(n) ⁰ ⁻¹ < N₀ < p ^(n) ⁰ n₀ = 18 T₀ = 218313923311049716831435891 T₀ · α ≡ 20 (modp) N_(T) ₀ = T₀ · N₀ = 21897314996017444986250462892843316543173648922850367

< N_(T) ₀ <  

n_(T) ₀ = 36 M − 1 > 2 · n_(T) ₀ − 2 M = 4097 ω₀ ≈ 1.24 × 10²⁹⁹⁶ ω₁ ≈ 9.57 × 10²⁹⁹⁴ A ≈ 2.86 × 10²⁹⁹⁹ M List of Confirmed (u_(1,1), u_(2,1)) 65, (2, 8), (4, 15), (5, 25), (9, 2), (9, 12), (13, 4), (13, 18), (14, 18), 1025 (14, 22), (15, 20), (18, 13), (22, 0), (22, 8), (26, 4), (26, 15), (28, 20) 129, (3, 6), (4, 14), (4, 15), (5, 25), (6, 4), (8, 6), (9, 13), (9, 18), (13, 8), 2049 (13, 19), (14, 17), (14, 19), (28, 20) 257, (1, 9), (3, 14), (5, 14), (6, 10), (7, 8), (9, 7), (11, 25), (15, 11), 4097 (16, 16), (18, 10), (19, 15), (20, 21), (20, 27), (21, 20), (21, 21), (23, 9), (24, 4), (24, 21), (25, 14), (27, 11), (28, 1) 513 no (u_(1,1), u_(2,1)) confirmed pairs Correct Solution u_(1,1) u_(2,1) 22 8

$\begin{matrix} \left\{ {\begin{matrix} {U_{1,2} = {u_{1,1} + {u_{1,2} \cdot p}}} \\ {U_{2,2} = {u_{2,1} + {u_{2,2} \cdot p}}} \end{matrix},} \right. & (162) \end{matrix}$ where 0<u_(1,1), u_(2,1)<p. Refer to (76).

Consider the system (128) when j₀=1. In this case the general expression of s is s≡{tilde over (ω)} ₀+({tilde over (ω)}₁ −u ₁)·p+({tilde over (ω)}₂−{tilde over (ν)}₂ −u ₂)·p ²(mod p ³).  (163) If the pair (u_(1,1), u_(2,1)) were substituted in lieu of (u₁, u₂), it would be s≡{tilde over (ω)} ₀+({tilde over (ω)}₁ −u _(1,1))·p+({tilde over (ω)}₂−{tilde over (ν)}₂ −u _(2,1))·p ²(mod p ³).  (164) If the pair (U_(1,2), U_(2,2)) were substituted in lieu of (u₁, u₂) , it would be s≡{tilde over (ω)} ₀+({tilde over (ω)}₁ −U _(1,2))·p+({tilde over (ω)}₂−{tilde over (ν)}₂ −U _(2,2))·p ²(mod p ⁴).  (165) If u_(1,2)≠0, reduction of (165) modulo p³ would produce a congruence which is not consistent with (164). Therefore, u_(1,2) must equal zero. 2.8) The Determination of U_(2,2)

Consider the case when, given M, the systems (142) and (148) have produced a set of viable pairs (u_(1,1), u_(2,1)). Such pairs define viable expressions of s (mod p³).

It is desired to define corresponding viable expressions of s (mod p⁴).

This can be accomplished by defining that value of U_(2,2) which satisfies both (142) and the corresponding condition on the carries. For this purpose:

1) Substitute a candidate U_(2,2) into (142) in lieu of u₂.

2) Define the integer ζ_(2,2)={tilde over (ω)}₂{tilde over (ν)}₂ −U _(2,2)  (166) and substitute it into (142) in lieu of ζ₂.

Notice that after these substitutions, every selection of U_(2,2) satisfies (142). However, the pair (u_(1,1), u_(2,1)) is feasible only if there exists at least one value of u_(2,2) which satisfies the condition (147) on the carries modulo p

To produce the solution u_(2,2), it is convenient to use an approach similar to (148). Specifically, after replacement of u_(2,1) by U_(2,2), all the congruences of (148), with the exception of the last two congruences, can be reduced modulo p³ yielding

$\begin{matrix} {\quad\left\{ {\begin{matrix} {u_{M - 2} \neq 0} \\ {u_{M - 1} = 0} \\ {v_{0} \equiv {{\overset{\sim}{\omega}}_{0}^{2}\left( {{mod}\mspace{14mu} p^{3}} \right)}} \\ {v_{1} \equiv {2 \cdot {\overset{\sim}{\omega}}_{0} \cdot {{\overset{\sim}{\omega}}_{1}\left( {{mod}\mspace{14mu} p^{3}} \right)}}} \\ {v_{2} \equiv {{- u_{1}^{2}} + {\overset{\sim}{\omega}}_{1}^{2} + {2 \cdot {\overset{\sim}{\omega}}_{0} \cdot \zeta_{2,2}} + {2 \cdot {\overset{\sim}{\omega}}_{0} \cdot {u_{2}\left( {{mod}\mspace{14mu} p^{3}} \right)}}}} \\ {v_{3} \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{3}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot u_{2}} + {2 \cdot {\overset{\sim}{\omega}}_{1} \cdot {\zeta_{2,2}\left( {{mod}\mspace{14mu} p^{3}} \right)}}}} \\ {v_{4} \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{4}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot u_{3}} + {2 \cdot \zeta_{2,2} \cdot u_{2}} + {\zeta_{2,2}^{2}\left( {{mod}\mspace{14mu} p^{3}} \right)}}} \\ {{{for}\mspace{14mu} i} > 4} \\ {v_{i} \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{t}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot u_{i - 1}} + {2 \cdot \zeta_{2,2} \cdot {u_{i - 2}\left( {{mod}\mspace{14mu} p^{3}} \right)}}}} \\ \ldots \\ {v_{M - 3} \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{M - 3}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot u_{M - 4}} + {2 \cdot \zeta_{2,2} \cdot}}} \\ {u_{M - 5}\left( {{mod}\mspace{14mu} p^{3}} \right)} \\ {v_{M - 2} \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{M - 2}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot u_{M - 3}} + {2 \cdot \zeta_{2,2} \cdot}}} \\ {u_{M - 4}\left( {{mod}\mspace{14mu} p^{2}} \right)} \\ {v_{M - 1} \equiv {{2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - u_{1}} \right) \cdot u_{M - 2}} + {2 \cdot \zeta_{2,2} \cdot {u_{M - 3}\left( {{mod}\mspace{14mu} p} \right)}}}} \end{matrix}.} \right.} & (167) \end{matrix}$

Correspondingly, with the exception of the last two congruences, the carries should be defined as

$\begin{matrix} {{C(167)}_{i} = \frac{{{RH}(167)}_{i} - {{LH}(167)}_{i}}{p^{3}}} & (168) \end{matrix}$ and the condition (150) can be restated as follows:

$\begin{matrix} {0 \equiv {Q_{0} + {\overset{\sim}{\eta}}_{0} + {\overset{\sim}{\eta}}_{1} + {\sum\limits_{i = 2}^{M - 3}{C(167)}_{i}} + {C(142)}_{M - 2} + {C(142)}_{M - 1} + {2 \cdot \zeta_{2,2} \cdot {{{\overset{\sim}{u}}_{M - 2}\left( {{mod}\mspace{14mu} p} \right)}.}}}} & (169) \end{matrix}$ NOTE 1: Compare two different expressions of s (mod p⁴): s≡{tilde over (ω)} ₀+({tilde over (ω)}₁ −u ₁)p+({tilde over (ω)}₂−{tilde over (ν)}₂ −u ₂)p ²+({tilde over (ω)}₃−ν₃ −u ₃)·p ³(mod p ⁴)  (170) and s≡{tilde over (ω)} ₀+({tilde over (ω)}₁ −u ₁)p ²+({tilde over (ω)}₂−ν₂ −u _(2,1) −u _(2,2) ·p)·p ²(mod p ⁴)  (171) Then −u _(2,2)≡{tilde over (ω)}₃ν₃ −u ₃ (mod p).  (172) Recall that ν₃ can be computed using (94). Table VII shows the resulting (u_(1,1),u_(2,1), u_(3,1)) triads for the example of Table III.

TABLE VII Confirmed (u_(1,1), u_(2,1), u_(3,1)) triads for the Example of Table III M (u_(1,1), u_(2,1), u_(3,1)) 65, (1, 1, 9), (1, 1, 28), (3, 20, 6), (3, 28, 25), (6, 1, 5), 513, (10, 28, 4), (10, 28, 24), (12, 9, 8), (12, 9, 12), (15, 4, 25), 4097, (17, 20, 2), (17, 20, 27), (19, 5, 4), (19, 5, 12), (19, 17, 5), 32769 (19, 17, 25), (19, 25, 25), (23, 20, 1), (23, 20, 25) 129, (1, 23, 8), (1, 23, 15), (5, 3, 24), (6, 11, 21), (10, 17, 8), 1025, (10, 17, 27), (15, 4, 10), (16, 4, 12), (20, 1, 3), (20, 1, 10), 8193 (20, 1, 27), (23, 22, 1), (23, 22, 4), (23, 22, 8), (23, 28, 5), (23, 28, 22), (24, 1, 3), (24, 1, 13), (24, 1, 20), (24, 1, 21), (26, 23, 1) 257, (4, 20, 27), (13, 26, 24), (20, 22, 23), (23, 22, 3), 2049, (23, 22, 5), (23, 22, 21), (23, 22, 22) 16385 NOTE 2: In general, the execution of (167) and the corresponding (169) produce only one candidate value of u_(2,2). In some cases, more than one value results. In these cases, all the corresponding value of U_(2,2) must be explored. 2.9) The General Case

After the determination of U_(2,2), a similar procedure can be employed to determine U_(2,3), where ζ_(2,3)={tilde over (ω)}₂−ν₂ −u _(2, 1) −u _(2, 2) ·p−u _(2, 3) ·p ²  (173)

In this case the moduli of (167) should be increased to p⁴ and the corresponding carries (168) should be adjusted accordingly. The resulting condition on the carries (169) would be computed modulo p².

Thereafter, the procedure can be iterated to determine the higher components of U.

Each step would propose a new value of s as a candidate divisor of N₀. If none of such steps offers a divisor of N₀, the initial (u_(1,1), u_(2,1)) pair must be discarded.

2.10) Execution Time

This section contains an estimate of the upper bound of the time required to factor N using the procedure just described.

For the purpose of this estimate, it will be assumed that elementary arithmetic operations require a time of an order not exceeding log_(P) ² N, where p denotes the base of representation of N.

The same can be assumed for the computation of multiplicative inverses, other linear congruences and square roots.

The proposed algorithm requires repeated execution of supercongruences such as (142) or (148). These systems consist of M congruences which are defined by a modulus as high as p^(M). Thus, their execution can be assumed to require a time of the order of M³.

Usually (142) is executed for the purpose of identifying the feasible values of a particular variable. Such is the case when (142) is executed to identify the values of u_(2,1) which are consistent with a known u_(1,1). Thus, the execution time of a supercongruence is p·M³.

Accounting for the variability of u_(1,1) and α, the production of all the feasible triads (α, u_(1,1), u_(2,1)) requires a time of the order of p³·M³.

Observing TABLE III, it can be concluded that the number of feasible triads (α, u_(1,1), u_(2,1)) is of the order of p². After the determination of the feasible pairs (u_(1,1), u_(2,1)) for a given α, such pairs are employed to determine the corresponding sequence of u_(2,i)'s. The determination of all u's for a given α requires the execution of as many as log_(p) N₀ supercongruences. Thus the execution time for all α would be of the order of p²·(p·M³)·M.

In particular, when p approximates the value of M, execution time is of the order of p⁷.

3) The Case when j₀=2

3.1) Overview

Consider the case when a roster of candidate pairs {(Ũ_(1,1), Ũ_(2,1))} has been determined and none of the corresponding pairs (r, s) represent divisors of N. Thus a new variable, ζ₃, can be introduced. The pair {(Ũ_(1,1), Ũ_(2,1))} is feasible only if there exists an integer ζ₃ such that,

$\begin{matrix} \left\{ \begin{matrix} {u_{M - 1} = 0} \\ {u_{M - 2} = 0} \\ {u_{M - 3} \neq 0} \\ {r = {{\overset{\sim}{A}}_{1} + {{\overset{\sim}{u}}_{1} \cdot {+ {\overset{\sim}{\zeta}}_{2}} \cdot p^{2}} + {\zeta_{3} \cdot p^{3}} + {2 \cdot {\overset{\sim}{u}}_{2} \cdot p^{2}} + {2 \cdot {\sum\limits_{i = 3}^{M - 3}{u_{i} \cdot {p^{i}.}}}}}} \\ {s = {{\overset{\sim}{A}}_{1} - {{\overset{\sim}{u}}_{1} \cdot p} + {{\overset{\sim}{\zeta}}_{2} \cdot p^{2}} + {\zeta_{3} \cdot {p^{3}.}}}} \end{matrix} \right. & (175) \end{matrix}$ Notice that in (175) u₁, u₂ and ζ₂ are known integers, say ũ₁, ũ₂ and {tilde over (ζ)}₂. Multiplication of r by s modulo p^(M) yields:

$\begin{matrix} \left\{ {\begin{matrix} {u_{M - 3} \neq 0} \\ {u_{M - 2} = 0} \\ {u_{M - 1} = 0} \\ {v_{0} \equiv {{\overset{\sim}{\omega}}_{0}^{2}\left( {{mod}\mspace{14mu} p^{M}} \right)}} \\ {v_{1} \equiv {2 \cdot {\overset{\sim}{\omega}}_{0} \cdot {\omega_{1}\left( {{mod}\mspace{14mu} p^{M - 1}} \right)}}} \\ {v_{2} \equiv {{- {\overset{\sim}{u}}_{1}^{2}} + {\overset{\sim}{\omega}}_{1}^{2} + {2 \cdot {\overset{\sim}{\omega}}_{0} \cdot {\overset{\sim}{\zeta}}_{2}} + {2 \cdot {\overset{\sim}{\omega}}_{0} \cdot {{\overset{\sim}{u}}_{2}\left( {{mod}\mspace{14mu} p^{M - 2}} \right)}}}} \\ {v_{3} \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{3}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - {\overset{\sim}{u}}_{1}} \right) \cdot {\overset{\sim}{u}}_{2}} + {2 \cdot {\overset{\sim}{\omega}}_{1} \cdot {\overset{\sim}{\zeta}}_{2}} + {2 \cdot {\overset{\sim}{\omega}}_{0} \cdot}}} \\ {{\overset{\sim}{\zeta}}_{3}\left( {{mod}\mspace{14mu} p^{M - 3}} \right)} \\ {v_{4} \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{4}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - {\overset{\sim}{u}}_{1}} \right) \cdot u_{3}} + {2 \cdot {\overset{\sim}{\zeta}}_{2} \cdot {\overset{\sim}{u}}_{2}} + {2 \cdot {\overset{\sim}{\omega}}_{1} \cdot \zeta_{3}} +}} \\ {{\overset{\sim}{\zeta}}_{2}^{2}\left( {{mod}\mspace{14mu} p^{M - 4}} \right)} \\ {v_{5} \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{5}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - {\overset{\sim}{u}}_{1}} \right) \cdot u_{4}} + {2 \cdot {\overset{\sim}{\zeta}}_{2} \cdot u_{3}} + {2 \cdot \zeta_{3} \cdot {\overset{\sim}{u}}_{2}} +}} \\ {2 \cdot {\overset{\sim}{\zeta}}_{2} \cdot {\zeta_{3}\left( {{mod}\mspace{14mu} p^{M - 5}} \right)}} \\ {v_{6} \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{6}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - {\overset{\sim}{u}}_{1}} \right) \cdot u_{5}} + {2 \cdot {\overset{\sim}{\zeta}}_{2} \cdot u_{4}} + {2 \cdot \zeta_{3} \cdot u_{3}} +}} \\ {\zeta_{3}^{2}\left( {{mod}\mspace{14mu} p^{M - 6}} \right)} \\ {{{for}\mspace{14mu} i} > 6} \\ {v_{i} \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{i}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - {\overset{\sim}{u}}_{1}} \right) \cdot u_{i - 1}} + {2 \cdot {\overset{\sim}{\zeta}}_{2} \cdot u_{i - 2}} + {2 \cdot \zeta_{3} \cdot}}} \\ {u_{i - 3}\left( {{mod}\mspace{14mu} p^{M - i}} \right)} \\ \ldots \\ {v_{n - 3} \equiv {{2 \cdot {\overset{\sim}{\omega}}_{0} \cdot u_{M - 3}} + {2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - {\overset{\sim}{u}}_{1}} \right) \cdot u_{M - 4}} + {2 \cdot {\overset{\sim}{\zeta}}_{2} \cdot u_{M - 5}} + {2 \cdot \zeta_{3} \cdot}}} \\ {u_{M - 6}\left( {{mod}\mspace{14mu} p^{3}} \right)} \\ {v_{n - 2} \equiv {{2 \cdot \left( {{\overset{\sim}{\omega}}_{1} - {\overset{\sim}{u}}_{1}} \right) \cdot u_{M - 3}} + {2 \cdot {\overset{\sim}{\zeta}}_{2} \cdot u_{M - 4}} + {2 \cdot \zeta_{3} \cdot {u_{M - 5}\left( {{mod}\mspace{14mu} p^{2}} \right)}}}} \\ {v_{n - 1} \equiv {{2 \cdot {\overset{\sim}{\zeta}}_{2} \cdot u_{M - 3}} + {2 \cdot \zeta_{3} \cdot {u_{M - 4}\left( {{mod}\mspace{14mu} p} \right)}}}} \end{matrix}.} \right. & (176) \end{matrix}$ For each initial selection of the pair (u₁, u₂) , the system (176) may produce a triad (u₁, u₂, ζ₃) such that r·s≡N (mod p⁴). 3.2) Determination of u₃ (mod p) using (176)

STEP 1: Select an element of the roster {(u₁, u₂)} representing a solution of (142), say (Ũ_(1,1), Ũ_(2,1)|M).

STEP 2: Using (94), compute ν₃ (mod p^(M−3)), say {tilde over (ν)}_(3,1). The same result can be obtained by observing that in (176) the congruence which is defined modulo p^(M−3) can be written as follows: 0≡−2·{tilde over (ω)}₀·ν_(3,1)−2·{tilde over (ω)}₁·{tilde over (ν)}_(2, 2)−2·Ũ _(1, 1) ·Ũ _(2,1) (mod p ^(M−3)).  (177) This congruence does not contain u₃ and allows one to determine ν_(3,1) modulo p^(M−3). STEP 3: To compute an integer u₃ (mod p) which satisfies (176), select an initial value of u₃ (mod p), say ũ_(3,1). STEP 4: Compute a corresponding value of ζ₃, say {tilde over (ζ)}_(3,1), where {tilde over (ζ)}_(3,1)={tilde over (ω)}₃−{tilde over (ν)}_(3,1) −ũ _(3,1)  (178) STEP 5: Substitute Ũ_(1,1), Ũ_(2,2) and {tilde over (ζ)}₂ in lieu of u₁, u₂and ζ₂ into (176). Also, substitute {tilde over (ζ)}_(3,1) in lieu of ζ₃ into (176). Solve the congruences (176) starting with the condition on ν₄ and proceeding to the condition on ν_(n−3) (mod p³). The last two congruences of (176) verify the consistency of u_(M−3) with the corresponding LHS's, which are defined modulo p² and modulo p, respectively. In the event such a consistency is satisfied, a value of u_(M−3) (mod p) is produced and ũ_(3,1) is validated. All possible selections of ũ_(3,1) must be tested. If no selection of ũ_(3,1) satisfies (176) for the given pair (u_(1,1), u_(2,1)|M), then such a pair must be discarded. 3.3) Validation of u_(2,2)

The integer u_(3,1) produced by (176) should be consistent with the value of u_(2,2) produced by (167). However, there are many selections of (u_(1,1), u_(2,1)) which, by (167), produce a corresponding u_(2,2) and, by (176), do not produce any corresponding u_(3,1).

Thus it appears that (176) is more severe than (167) in the determination of u_(3,1).

Therefore, it is possible to execute (176) for all the confirmed pairs (u_(1,1), u_(2,1)) which survive (142) and are listed in TABLE III and produce a corresponding roster of viable triads (u_(1,1), u_(2,1), u_(3,1)).

This step depopulates TABLE III drastically. Compare TABLE VII with TABLE VIII.

TABLE VIII Example of Feasible (u_(1,1), u_(2,1), u_(3,1))Triads for Increasing M and p = 29 using Supercongruence (176) M (u_(1,1), u_(2,1), u_(3,1)) 65 (3, 20, 6), (6, 28, 4) 129 (23, 1, 25) 257 (23, 1, 25) 513 (3, 20, 6), (6, 28, 4) 1025 (13, 8, 17), (15, 4, 28), (23, 1, 25) 2049 (23, 1, 25) 4097 (3, 20, 6), (6, 28, 4)

TABLE IX Calculation of u_(2,i) and v_(i) for i > 2 Calculation of u_(2,n) u₁ u_(2,1) u_(2,2) u_(2,3) u_(2,4) u_(2,5) u_(2,6) u_(2,7) u_(2,8) u_(2,9) 3 20 6 18 3 28 25 9 12 I Calculation of v₁ v₂ v₃ v₄ v₅ v₆ v₇ v₈ v₉ v₁₀ 24 17 25 12 2 9 21 18 7 This corresponds to the factor s₀ = 605555653519. 3.4) Execution Time

After the depopulation of Table VII into Table VIII, the algorithm of Section 2.9 can resume and determine the appropriate u_(2,1)'s, for all i>2. For the example of Table I, Table IX shows the resulting values of u_(2,i) and ν_(i) for all i>2.

The benefit of the validation of u_(2,2) is the reduction of the total execution time by a factor of approximately p, thus reducing the total execution time to approximately p⁶.

XI. AN ALTERNATIVE APPROACH TO THE HIGHER POWERS OF p

1) The Approach

Consider the case when the triad ({tilde over (α)}, Ũ_(1,1), Ũ_(2,2)) is a solution of (142) and (150), when N is to defined as in (37) and M is used in lieu of n₀.

In this case, it is possible to compute r₀ modulo p⁴ as r ₀ ≡{tilde over (T)} ₀ ⁻¹ ·r (mod p ⁴)  (179) where r≡{tilde over (ω)} ₀+({tilde over (ω)}₁ +ũ _(1,1))·p+({tilde over (ω)}₂−{tilde over (ν)}_(2,2) +Ũ _(2,2))·p ² (mod p ⁴).  (180) Define {tilde over (r)}_(0,2) as the least positive solution of the following: r _(0,2) ≡{tilde over (T)} ₀ ⁻¹({tilde over (ω)}₀+({tilde over (ω)}₁ +ũ _(1,1))·p)(mod p ^(M)).  (181) Define {tilde over (T)}₂ as the least positive solution of the following: N ₀ ≡{tilde over (T)} ₂ ·{tilde over (r)} _(0,2) ² (mod p^(M)).  (182) If {tilde over (T)}₂ is odd, define N ₂ ={tilde over (T)} ₂ ·N ₀.  (183) Define Ã₂ as a solution of the following N ₂ ≡Ã ₂ ⁻²(mod p^(M)).  (184) Then the general expression of the pair (r,s) will be

$\begin{matrix} \left\{ {\begin{matrix} {r = {{\overset{\sim}{A}}_{2} + {{U\left( {\overset{\sim}{T}}_{2} \right)} \cdot p^{2}} - {{V\left( {\overset{\sim}{T}}_{2} \right)} \cdot p^{4}}}} \\ {s = {{\overset{\sim}{A}}_{2} + {{U\left( {\overset{\sim}{T}}_{2} \right)} \cdot p^{2}} - {{V\left( {\overset{\sim}{T}}_{2} \right)} \cdot p^{4}}}} \end{matrix},} \right. & (185) \end{matrix}$ for some integers U({tilde over (T)}₂) and V({tilde over (T)}₂). Compare with (41). Notice that (41) and (185) operate on rectangular lattices of sides p² and p⁴. Compare with (24). NOTE 1: The integers u₂ and U(T₂) are related to each other. In fact,

$\begin{matrix} \left\{ \begin{matrix} {{\overset{\sim}{T}}_{0} \equiv {N_{0} \cdot {\alpha^{- 2}\left( {{mod}\mspace{14mu} p^{M}} \right)}}} \\ {{\overset{\sim}{T}}_{2} \equiv {N_{0} \cdot {r_{0,2}^{- 2}\left( {{mod}\mspace{14mu} p^{M}} \right)}}} \end{matrix} \right. & (186) \end{matrix}$ and U({tilde over (T)} ₂)≡{tilde over (T)} ₂ ·{tilde over (T)} ₀ ⁻¹ ·Ũ _(2,2)(mod p ⁴).  (187) Thus U₂,₂ is a known quantity, and the solution of (183) follows the pattern of (142).

NOTE 2: In (142) the congruences modulo p^(n) and p^(n−1) do not depend explicitly on the variables of the system (u_(i) and ν_(i)), because such dependence is embedded in the definition of N. Likewise, the four highest degree congruences (say p^(M), P^(M−1), p^(M−2), p^(M−3)) do not depend explicitly on the corresponding variables.

XII. THE CASE WHEN ũ₁≡0(mod p)

Consider the case when N₀ is known not to be a prime number, and the algorithm does not determine any divisor of N₀ for any {tilde over (α)} and for ũ₁≢0 (mod p).

It has been observed that, given p, this situation occurs in less than 1% of the integers under test.

The problem can be addressed by defining {tilde over (T)}₂ as a solution of the following: N ₀ ≡T ₂·α²(mod p^(M))  (188) and restating (185) accordingly. In this case, a solution of (185) may exist only if U({tilde over (T)}₂)≢0 (mod p²).

One possible strategy is to select a different prime, say p′, relying on the low probability that ũ be congruent to zero both modulo p and modulo p′. Of course, it is also possible to execute the proposed algorithm in parallel using both p and p′.

XIII. THE CASES WHEN ω₁ ²−u₁ ²≡0 (mod p)

A similar situation may occur when ω₁ ²−u₁ ²≡0 (mod p). This situation was observed in less than 1% of the cases under test. Again duplicating the algorithm using a different prime may solve the problem.

XIV. OTHER SINGULAR EVENTS

A variety of rare, singular events occur occasionally. Some of the Tables presented in this document describe unexpected events. Gradually, such events are being understood. All of them can be sidestepped by changing the selection of p.

Fundamentally, the proposed representation of integers and the resulting management of the carries offer a primary avenue towards the control of the factorization problem.

APPENDIX A NOTE ON CONGRUENCES WITH TRUNCATED VARIABLES

Consider the linear congruence A·x+B·y≡C (mod p ²)  (A.1) where A≢0(modp) and B≢0 (mod p). Let

$\begin{matrix} \left\{ {\begin{matrix} {x = {x_{0} + {x_{1} \cdot p}}} \\ {y = {y_{0} + {y_{1} \cdot p}}} \end{matrix}.} \right. & \left( {A{.2}} \right) \end{matrix}$

Consider the case when x and y are constrained by the conditions that 0≤x₀, y₀≤p−1 to and also x₁=0 and y₁=0. In other words, x and y are “truncated” modulo p.

To solve (A.1) under these constraints, let C=c₀+c₁·p and solve A·x+B·y≡c ₀ (mod p).  (A.3)

There exist p solution pairs (x₀,y₀) for this congruence. For each solution pair, compute the integer λ·p=A·x ₀ +B·y ₀ −c ₀.  (A.4)

Depending on the value of c₁, there may be one or more solution pairs which satisfy (A.1), even though x and y are truncated modulo p. Also, in some cases, there is no solution pair for which λ≡c₁ (mod p).

The situation is illustrated by Table A.I, which shows the case when p=29, A=38, B=41, c₀=2, c₁=13.

The example illustrates the fact that a pair (x₀, y₀), which was truncated modulo p, may satisfy a congruence modulo p².

TABLE A.1 Example of Truncated Linear Congruence (p = 29, A = 38, B = 41, c₀ = 2, c₁ = 13) (x₀, y₀) A · x₀ + B · y₀ − c₀ c₁ · p (0, 5)  7 · p 13 p (1, 26)  9 p 13 · p (2, 18) 28 p 13 · p (3, 10) 18 p 13 p (4, 2)  8 p 13 p (5, 23) 10 · p 13 p (6, 15)  0 p 13 p (7, 7) 19 · p 13 · p (8, 28) 21 p 13 · p (9, 20) 11 · p 13 p (10, 12)  1 · p 13 · p (11, 4) 20 · p 13 p (12, 25) 22 p 13 p (13, 17) 12 · p 13 p (14, 9)  2 · p 13 · p (15, 1) 21 · p 13 · p (16, 22) 23 · p 13 p (17, 14) 13 · p 13 · p (18, 6)  3 · p 13 · p (19, 27)  5 · p 13 · p (20, 19) 24 p 13 · p (21, 11) 14 · p 13 · p (22, 3)  4 · p 13 · p (23, 24)  6 p 13 · p (24, 16) 25 · p 13 · p (25, 8) 15 · p 13 · p (26, 0)  5 p 13 · p (27, 21)  7 · p 13 · p (28, 13) 26 · p 13 · p Number of (x₀, y₀) pairs 29 Double Solutions 5, 7, 21 No Solutions 16, 17, 27

REFERENCES (All of which are incorporated by reference, herein)

[1] C. F. Gauss, Disquisitiones Arithmeticae, New York, N.Y.: Springer-Verlag, 1986.

[2] R. L. Rivest, A. Shamir, L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Communications of the ACM, Vol. 21, pp. 120-125, 1978.

[3] G. H. Hardy, E. M. Wright, In Introduction to the Theory of Numbers, Oxford, U. K., The Clarendon Press, 1979.

Following is a list of relevant features of the invention.

The present invention pertains to a method for decoding an encrypted electromagnetic signal W representative of a message encoded by a first computer with public key N₀=r×s, where N₀, r and s are integers and W is a function of r and s. The method comprises the steps of storing the signal W in a non-transient memory. There is the step of decoding with a second computer in communication with the memory the signal Win the memory with the second computer generated steps of selecting a prime number p of the form p=4k+1 for an odd integer k such that the public key N₀ is a non-quadratic residue modulo p; calculating n₀ satisfying the inequalities p^(n) ⁰ ⁻¹<N₀<p^(n) ⁰ computing N=τN₀ with a selection of τ such that N is a quadratic residue modulo p^(n) ⁰ ; calculating n satisfying the inequalities p^(n−1)<N<p^(n) and calculating a solution to N≡A ² (mod p ^(n)) (189) by using the representation

$\begin{matrix} {A = {\sum\limits_{i = 0}^{n}{\omega_{i}p^{i}}}} & (190) \end{matrix}$ where w_(i) satisfies the condition 0<ω_(i) <p ^(n−i).  (191)

There is the step of decrypting with the computer the signal W with the public key N₀ and the prime factors of integer N₀. There is the step of displaying on a display by the computer the decrypted signal W. There is the step of reviewing the decrypted signal W to determine if the decrypted signal W indicates an act has occurred or will occur that violates a law, or will violate a law.

There may be the second computer generated steps of defining M=2^(h)+1, for N=r×s with r>s, take the solution 1 and construct relations

$\begin{matrix} \left\{ \begin{matrix} {r = {A + {U \times p} - {V \times p^{2}}}} \\ {s = {A - {U \times p} - {V \times p^{2}}}} \end{matrix} \right. & (192) \end{matrix}$ with U, V as unknowns; forming a set of Supercongruence equations by matching coefficients of N and coefficients of (A+U×p−V×p²)(A−U×p−V×p²), the set of Supercongruence equations establishes M relations in terms of u_(i)'s and v_(i)'s, which are coefficients of U and V respectively; performing steps 1-4 using the Supercongruence equations where steps 1-7 are as follows:

1) Testing feasibilities of digits u₁'s and u₂'s.

2) Calculating carries by tallying differences on two sides of the Supercongruence equations.

3) Using carries to identify subsequent digits given a feasible pair of u₁ and u₂ by using Supercongruence equations again.

4) Using the Euclidean algorithm to test whether A+U×p−V×p² is a divisor of N₀.

There may be the step of enabling the alerting of a government agency to prevent the act that will occur to prevent physical damage or bodily injury to a person occurring. The steps described herein allows for the ability to alert a desired government agency if a review of the decrypted signal W indicates that an alert is warranted.

By using the methods described herein, N₀ is factored in time O(log⁶N₀). This speed is important, which only the operation of the second computer performing the second computer generated steps can achieve, because by having this speed for factoring, the signal W representative of a message can be effectively decrypted and deciphered in real time so any threat to property or individuals can be quickly acted upon to eliminate the threat before it occurs and actual damage to property or injury to individuals is prevented or mitigated. In other words, for W to be effectively understood, it must by decrypted fast enough that any threat identified in W can be stopped. The present invention with the use of the second computer allows for this capability. Here, it is inherent that to save lives if required, the second computer is required.

There may be the step of obtaining the electromagnetic signal W representative of a message from a telecommunications network, or a data network or an Internet or a non-transient memory. Law enforcement departments, such as Homeland Security, the FBI, the CIA, NSA, state and local Police or the Military have the well-known capability of obtaining or intercepting messages sent encrypted by a first computer operated by a potential terrorist or criminal as an electromagnetic signal, such as by smart phone or computer or intemet, or stored in the memory of a smart phone or computer, or a flash drive. The encrypted electromagnetic signal W can be extracted from such messages or memories and operated upon by the techniques described herein to decrypt the encrypted messages and read them to determine whether there is any violation of law or threat to property or individuals. Of course, the intended recipient of the encrypted message W by the first computer has the key so the recipient can decrypt the encrypted message W the recipient has received and understand it. It is the object of this invention, and the problem this invention solves, to allow a recipient of the encrypted message W who does not have the key to read it, to determine what the key N₀ is by the techniques described here, and then using the determined key N₀, decrypting the encrypted message W, reviewing what the decrypted message says, and acting as necessary to protect property damage or bodily injury or any type of crime, as deemed appropriate.

The present invention pertains to a second computer for decoding an encrypted electromagnetic signal W representative of a message encoded by a first computer with public key N₀=r×s, where N₀, r and s are integers and W is a function of r and s, comprising:

-   -   a non-transient memory in which the signal W is stored;

decoding with a CPU in communication with the memory the signal Win the memory that decodes the signal W by the second computer generated steps of selecting a prime number p of the form p=4k+1 for an odd integer k such that the public key N₀ is a non-quadratic residue modulo p; calculating n₀ satisfying the inequalities p^(n) ⁰ ⁻¹<N₀<p^(n) ⁰ computing N=τN₀ with a selection of τ such that N is a quadratic residue modulo p^(n) ⁰ ; calculating n satisfying the inequalities p^(n−1)<N<p^(n); and calculating a solution to N≡A ² (mod p ^(n))  (193) by using the representation

$\begin{matrix} {A = {\sum\limits_{i = 0}^{n}{\omega_{i}p^{i}}}} & (194) \end{matrix}$ where w_(i) satisfies the condition 0<ω_(i) <p ^(n−i),  (195) the CPU decrypting the signal W with the public key N₀ and the prime factors of integer N₀; and a display on which the decrypted signal W is displayed so the decrypted signal W can be reviewed to determine if the decrypted signal W indicates an act has occurred or will occur that violates a law or will violate a law. The display can be a computer screen or smart phone screen or any screen or piece of paper on which the decrypted signal W is printed or any medium on which the decrypted signal W can be reviewed.

The CPU of the second computer may perform the CPU generated steps of defining M=2^(h)+1 for N₀=r×s with r>s, take the solution 1 and construct relations

$\begin{matrix} \left\{ \begin{matrix} {r = {A + {U \times p} - {V \times p^{2}}}} \\ {s = {A - {U \times p} - {V \times p^{2}}}} \end{matrix} \right. & (196) \end{matrix}$ with U, V as unknowns; forming a set of Supercongruence equations by matching coefficients of N and coefficients of (A+U×p−V×p²)(A−U×p−V×p²), the set of Supercongruence equations establishes M relations in terms u_(i)'s and v_(i)'s, which are coefficients of U and V respectively; performing steps 1-4 using the Supercongruence equations where steps 1-4 are as follows:

1) Testing feasibilities of digits u₁'s and u₂'s.

2) Calculating carries by tallying differences on two sides ofthe Supercongruence equations.

3) Using carries to identify subsequent digits given a feasible pair of u₁ and u₂ by using Supercongruence equations again.

4) Using the Euclidean algorithm to test whether A+U×p−V×p² is a divisor of N₀.

N₀ is factored by the CPU of the second computer in the time O(log⁶N₀).

The present invention pertains to a non-transitory readable storage medium which includes a computer program stored on the storage medium for decoding an encrypted electromagnetic signal W encoded by a first computer with public key N₀=r×s, where N₀, r and s are integers and W is a function of r and s, where the signal W has been stored in a non-transient memory of a second computer, having the second computer generated steps of:

Selecting a prime number p of the form p=4k+1 for an odd integer k such that the public key N₀ is a non-quadratic residue modulo p; calculating n₀ satisfying the inequalities p^(n) ⁰ ⁻¹<N₀<p^(n) ⁰ computing N=τN₀ with a selection of τ such that N is a quadratic residue modulo p^(n) ⁰ ; calculating n satisfying the inequalities p^(n−1)<N<p^(n); and calculating a solution to N≡A ² (mod p ^(n))  (197) by using the representation

$\begin{matrix} {A = {\sum\limits_{i = 0}^{n}{\omega_{i}p^{i}}}} & (198) \end{matrix}$ where w_(i) satisfies the condition 0<ω_(i) <p ^(n−1).  (199)

There is the step of decrypting with the second computer the signal W with the public key N₀ and the prime factors of integer N₀. There is the step of displaying on a display by the second computer the decrypted signal W. There is the step of reviewing the decrypted signal W for predetermined words to determine if the decrypted signal W indicates an act has occurred or will occur that violates a law, or will violate a law. It is well know in the art to search for words, such as bomb or gun, to flag a message for further review for possible action, as deemed appropriate.

The computer program may have the second computer generated steps of defining M=2^(h)+1 for N₀=r×s with r>s, take the solution 1 and construct relations

$\begin{matrix} \left\{ \begin{matrix} {r = {A + {U \times p} - {V \times p^{2}}}} \\ {s = {A - {U \times p} - {V \times p^{2}}}} \end{matrix} \right. & (200) \end{matrix}$ with U, V as unknowns; forming a set of Supercongruence equations by matching coefficients of N and coefficients of (A+U×p−V×p²)(A−U×p−V×p²), the set of Supercongruence equations establishes M relations in terms of u_(i)'s and v_(i)'s, which are coefficients of U and V respectively; performing steps 1-4 using the Supercongruence equations where steps 1-4 are as follows:

1) Testing feasibilities of digits u_(i)'s and v_(i)'s.

2) Calculating carries by tallying differences ontwo sides of the Supercongruence equations.

3) Using carries to identify subsequent digits given a feasible pair of u₁ and u₂ by using Supercongruence equations again.

4) Using the Euclidean algorithm to test whether A+U×p−V×p² is a divisor of N₀.

Although the invention has been described in detail in the foregoing embodiments for the purpose of illustration, it is to be understood that such detail is solely for that purpose and that variations can be made therein by those skilled in the art without departing from the spirit and scope of the invention except as it may be described by the following claims. 

The invention claimed is:
 1. A method for decoding an encrypted electromagnetic signal W encoded by a first computer with public key N₀=r×s, where N₀, r and s are integers comprising the steps of: obtaining the electromagnetic signal W from a telecommunications network, or a data network or an Internet or a first non-transient memory; storing the signal W in a second non-transient memory; decoding with a second computer in communication with the second non-transient memory the signal W in the memory by factoring the public key N₀ in time O(log⁶ N₀) with the second computer generated steps of selecting a prime number p of the form p=4k+1 for an odd integer k such that the public key N₀ is a non-quadratic residue modulo p; Calculating n₀ satisfying the inequalities p^(n) ⁰ ⁻¹<N₀<p^(n) ⁰ ; Computing N=τN₀ with a selection of τ such that N is a quadratic residue modulo p; Calculating n satisfying the inequalities p^(n−1)<N<p^(n); and Calculating a solution to N≡A ² (mod p ^(n)) by using the representation $A = {\sum\limits_{i = 0}^{n}{\omega_{i}p^{i}}}$ where ω_(i) satisfies the condition 0<ω_(i) <p ^(n−i); decrypting with the second computer the signal W with the public key N₀ and prime factors of integer N₀; displaying on a display by the second computer the prime factors of integer N₀; and reviewing the decrypted signal W for predetermined words with the second computer to determine if the decrypted signal W indicates an act has occurred or will occur that violates a law, or will violate a law, wherein the signal W representative of the message is effectively decrypted and deciphered thereby a threat to property or individuals in violation of the law can be acted upon to mitigate or eliminate the threat before the threat occurs and actual damage to property or injury to individuals is prevented or mitigated.
 2. The method of claim 1 including the second computer generated steps of defining M=2^(h)+1, for N=r×s with r>s, and constructing relations $\quad\left\{ \begin{matrix} {r = {A + {U \times p} - {V \times p^{2}}}} \\ {s = {A - {U \times p} - {V \times p^{2}}}} \end{matrix} \right.$ with U, V as unknowns; forming a set of Supercongruence equations by matching coefficients of N and coefficients of (A+U×p−V×p²)(A−U×p−V×p²), the set of Supercongruence equations establishes M relations in terms of u_(i)'s and v_(i)'s, which are coefficients of U and V respectively; performing steps 1-4 using the Supercongruence equations where steps 1-4 are as follows: 1) Testing feasibilities of digits u₁'s and u₂'s. 2) Calculating carries by tallying differences on two sides of the Supercongruence equations. 3) Using carries to identify subsequent digits given a feasible pair of u₁ and u₂ by using Supercongruence equations again. 4) Using the Euclidean algorithm to test whether A−U−p−V×p² is a divisor of N₀.
 3. The method of claim 2 enabling alerting a government agency to prevent the act that will occur to prevent physical damage or bodily injury to a person occurring.
 4. A second computer for decoding an encrypted electromagnetic signal W encoded by a first computer with public key N₀=r×s, where N₀, r and s are integers and W is a function of r and s, comprising: an input for obtaining the electromagnetic signal W from a telecommunications network, or a data network or an Internet or a first non-transient memory a second non-transient memory in communication with the input in which the signal W is stored; a cpu in communication with the second non-transient memory the signal W in the memory that decodes the signal W by factoring the public key N₀ in time O(log⁶ N₀) by the second computer generated steps of selecting a prime number p of the form p=4k+1 for an odd integer k such that the public key N₀ is a non-quadratic residue modulo p; calculating n₀ satisfying the inequalities p^(n) ⁰ ⁻¹<N₀<p^(n) ⁰ ; computing N=τN₀ with a selection of τ such that N is a quadratic residue modulo p; calculating n satisfying the inequalities p^(n−1)<N<p^(n); and calculating a solution to N≡A ² (mod p ^(n)) by using the representation $A = {\sum\limits_{i = 0}^{n}{\omega_{i}p^{i}}}$ where ω_(i) satisfies the condition 0<ω_(i)<p^(n−i), the cpu decrypting the signal W with the public key N₀ and prime factors of integer N₀; and the cpu reviewing the decrypted signal W for predetermined words to determine if the decrypted signal W indicates an act has occurred or will occur that violates a law, or will violate a law, wherein the signal W representative of the message is effectively decrypted and deciphered thereby a threat to property or individuals in violation of the law can be quickly acted upon to eliminate the threat before the threat occurs and actual damage to property or injury to individuals is prevented or mitigated.
 5. The apparatus of claim 4 wherein the cpu of the second computer performs the cpu generated steps of defining M=2^(h)+1, for N=r×s with r×s, and constructing relations $\quad\left\{ \begin{matrix} {r = {A + {U \times p} - {V \times p^{2}}}} \\ {s = {A - {U \times p} - {V \times p^{2}}}} \end{matrix} \right.$ with U, V as unknowns; forming a set of Supercongruence equations by matching coefficients of N and coefficients of (A+U×p−V×p²)(A−U×p−V×p²), the set of Supercongruence equations establishes M relations in terms of u_(i)'s and v_(i)'s, which are coefficients of U and V respectively; performing steps 1-4 using the Supercongruence equations where steps 1-4 are as follows: 1) Testing feasibilities of digits u₁'s and u₂'s. 2) Calculating carries by tallying differences on two sides of the Supercongruence equations. 3) Using carries to identify subsequent digits given a feasible pair of u₁ and u₂ by using Supercongruence equations again. 4) Using the Euclidean algorithm to test whether A−U×p−V×p² is a divisor of N₀.
 6. A non-transitory readable storage medium which includes a computer program stored on the storage medium for decoding an encrypted electromagnetic signal W encoded by a first computer with public key N₀=r×s, where N₀, r and s are integers and W is a function of r and s, where the signal W has been stored in a second non-transient memory of a second computer, and the second computer factoring the public key N₀ in time O(log⁶ N₀), the signal W obtained from a telecommunications network, or a data network or an Internet or a first non-transient memory, the computer program having the second computer generated steps of: selecting a prime number p of the form p=4k+1 for an odd integer k such that the public key N₀ is a non-quadratic residue modulo p; calculating n₀ satisfying the inequalities p^(n) ⁰ ⁻¹<N₀<p^(n) ⁰ ; computing N=τ N₀ with a selection of τ such that N is a quadratic residue modulo p; calculating n satisfying the inequalities p^(n−1)<N<p^(n); and calculating a solution to N≡A ² (mod p ^(n)) by using the representation $A = {\sum\limits_{i = 0}^{n}{\omega_{i}p^{i}}}$ where ω_(i) satisfies the condition 0<ω_(i) <p ^(n−i); decrypting with the second computer the signal W with the public key N₀ and prime factors of integer N₀; displaying on a display by the second computer the decrypted signal W; and reviewing the decrypted signal W for predetermined words to determine if the decrypted signal W indicates an act has occurred or will occur that violates a law, or will violate a law, wherein the signal W representative of the message is effectively decrypted and deciphered thereby a threat to property or individuals in violation of the law can be quickly acted upon to eliminate the threat before the threat occurs and actual damage to property or injury to individuals is prevented or mitigated.
 7. The storage medium of claim 6 having the second computer generated steps of defining M=2^(h)+1, for N=r×s with r>s, and constructing relations $\quad\left\{ \begin{matrix} {r = {A + {U \times p} - {V \times p^{2}}}} \\ {s = {A - {U \times p} - {V \times p^{2}}}} \end{matrix} \right.$ with U, V as unknowns; forming a set of Supercongruence equations by matching coefficients of N and coefficients of (A+U×p−V×p²)(A−U×p−V×p²), the set of Supercongruence equations establishes M relations in terms of u_(i)'s and v_(i)'s, which are coefficients of U and V respectively; performing steps 1-4 using the Supercongruence equations where steps 1-4 are as follows: 1) Testing feasibilities of digits u₁'s and u₂'s. 2) Calculating carries by tallying differences on two sides of the Supercongruence equations. 3) Using carries to identify subsequent digits given a feasible pair of u₁ and u₂ by using Supercongruence equations again. 4) Using the Euclidean algorithm to test whether A−U×p−V×p² is a divisor of N₀. 